Getting around mkdir on setuid programs

utzoo!decvax!ucbvax!unix-wizards utzoo!decvax!ucbvax!unix-wizards
Thu Oct 15 23:58:45 AEST 1981


>From MathStat.jmrubin at Berkeley Thu Oct 15 20:40:40 1981
	This refers to a letter of mark at berkeley referring to the
fact that when a setuid program forks mkdir, mkdir checks the real
uid in figuring out permissions and ownership.

	One way to do it (and I am not sure this is all that good) is to
run the program setuid root, and then, instead of forking mkdir, simply
copy the appropriate part of the code for mkdir.  (mknod, et. al.)
root can then chown and chmod the directories as appropriate.  If one
is paranoid, one can setuid to a more restrictive user as soon as it is
clear that a restricted system call won't be necessary.

	Alternatively, instead of running mkdir directly, you could fork
a setuid root program in a directory only accessible to the euid of the
original program which
	(1) setuid's to 0
	(2) forks mkdir
	(3) chowns the directories if necessary.  (if this last
step isn't necessary, another fork probably isn't necessary)

	One of Mark's suggestions was to permit setuid(geteuid())
in the kernel.  I don't think this would cause any a priori
security breeches, but it might require more care in programming.

					Joel Rubin



More information about the Comp.unix.wizards mailing list