[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-arch
Subject: Re: setegid bug
From: Mike Meyer <mwm () mired ! org>
Date: 2007-06-07 21:35:39
Message-ID: 18024.31275.733694.236655 () bhuda ! mired ! org
[Download RAW message or body]
In <20070607213650.c02130bf.stas@FreeBSD.org>, Stanislav Sedov <stas@FreeBSD.org> typed:
> Recently several FreeBSD samba users reported a scary problem with
> samba (http://bugzilla.samba.org/?id=3990). Further research in
> cooperation with Timur Bakeyev (timur) showed, that we have a little
> problem with setegid implementation. In FreeBSD (and even in
> 4.4BSD-Lite2) egid of the process is merely groups[0], so calling
> seteuid function we simply override the first of supplementary groups.
> However, POSIX says that not rgid, not any of supplementary groups
> should bot be rewritten in setegid call.
>
> Probably, some of old-school committers remembered the initial
> intention of making egid equal to groups[0]? Probably, I have missed
> something?
The old school in this case is UC Berkeley. I found this behavior in
4.1BSD. Since it lets you violate ass-backwards group security
settings (wherein you create a group "undesirables", and have files
owned by that group with group bits 0 to keep them out) by removing
yourself from that group, I reported it as a security bug to
CSRG. Mike's response was that the security model was the bug, not
this problem.
I suspect it was done that way in the initial implementation, and
nobody has ever felt that it should be fixed.
<mike
--
Mike Meyer <mwm@mired.org> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
_______________________________________________
freebsd-arch@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic