[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
euidaccess() bug
From: |
Kemp, Stuart |
Subject: |
euidaccess() bug |
Date: |
Wed, 23 Jul 2003 14:04:12 -0500 |
System: RedHat Linux 9.0
Problem: In a suid-root program, the euidaccess() call can succeed
when it should fail.
Diagnosis: the euidaccess() call caches the "euid" that is in effect the
first time this call is made, and uses this same cached euid for all
subsequent calls. However, the euid may have been changed in the interim,
leading to incorrect results. The appended program illustrates this.
To see the problem, compile the program and make it setuid-root. Then, as
an ordinary user, create a file /tmp/foo.txt and chmod it to 700, and run
the suid-root program as the same ordinary user. The second euidaccess
call succeeds, but the open fails. The bug is that the second euidaccess
call should not succeed.
/* === Sample Program === */
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int
main(int argc, char **argv)
{
char *FileName;
int fd, Ret;
FileName = argc > 1 ? argv[1] : "/tmp/foo.txt";
printf("uid=%lu euid=%lu\n", (long) getuid(), (long) geteuid());
Ret = euidaccess(FileName, R_OK);
printf("euidaccess: Ret = %d\n", Ret);
Ret = setuid(2);
if (Ret) printf("setuid(2) failed\n");
printf("uid=%lu euid=%lu\n", (long) getuid(), (long) geteuid());
Ret = euidaccess(FileName, R_OK);
printf("euidaccess: Ret = %d\n", Ret);
fd = open(FileName, O_RDONLY);
printf("open: fd=%d\n", fd);
return(0);
}
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- euidaccess() bug,
Kemp, Stuart <=