bug in signals and setuid in 4.2 bsd.
fred at nmtvax.UUCP
fred at nmtvax.UUCP
Sun Apr 29 02:37:47 AEST 1984
Index: /sys/sys/kern_prot.c 4.2 BSD Vax
Description:
There is a bug with signals and setuid in 4.2 bsd. This may have
existed in 4.1, but I am not sure since I don't have source readily
available at the moment. What happens is when a process first starts
up p_uid in the process structure is set to the effective uid. Then
if you do a setuid (or setreuid), it sets p_uid to your REAL user id.
If you them send a signal to yourself, the system searches for a process
with the same pid as yours and has a uid equal to your effective uid
to send the signal requested and fails.
Repeat-By:
The following is a small program to show the bug run it on your machine.
It should be run by a normal(non-root) user and made set uid to someone else.
The second kill will fail with no such process.
#include <signal.h>
#include <stdio.h>
#include <errno.h>
int tsig();
main()
{
int euid,uid;
signal(SIGALRM,tsig);
printf("uid: %d,euid: %d\n",getuid(),geteuid());
if(kill(0,SIGALRM) < 0)
perror("kill");
setreuid(-1,-1);
printf("uid: %d,euid: %d\n",getuid(),geteuid());
if(kill(0,SIGALRM) < 0)
perror("kill");
}
tsig()
{
printf("Caught signal.\n");
}
Fix:
The fix is very simple. Just change setreuid() in /sys/sys/kern_prot.c
so that the p_uid is set to the effective uid rather than the real
user id. The following is a diff of what needs to be corrected.
*** kern_prot.c Fri Apr 27 19:34:16 1984
--- kern_prot.old Tue Feb 28 11:53:20 1984
***************
*** 133,139
qstart(getquota(ruid, 0, 0));
}
#endif
! u.u_procp->p_uid = euid;
u.u_ruid = ruid;
u.u_uid = euid;
}
--- 133,139 -----
qstart(getquota(ruid, 0, 0));
}
#endif
! u.u_procp->p_uid = ruid;
u.u_ruid = ruid;
u.u_uid = euid;
}
--
Fred Romelfanger
Computer Science Department
New Mexico Tech
..!ucbvax!unmvax!nmtvax!fred (uucp)
..!cmcl2!lanl-a!nmtvax!fred (uucp)
fred.nmt at rand-relay (arpa)
fred at nmt (CSnet)
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list