euidaccess() bug

bug-glibc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

euidaccess() bug

From:	Kemp, Stuart
Subject:	euidaccess() bug
Date:	Wed, 23 Jul 2003 14:04:12 -0500

System: RedHat Linux 9.0

Problem: In a suid-root program, the euidaccess() call can succeed
         when it should fail.

Diagnosis: the euidaccess() call caches the "euid" that is in effect the
first time this call is made, and uses this same cached euid for all
subsequent calls. However, the euid may have been changed in the interim,
leading to incorrect results. The appended program illustrates this.

To see the problem, compile the program and make it setuid-root. Then, as
an ordinary user, create a file /tmp/foo.txt and chmod it to 700, and run
the suid-root program as the same ordinary user. The second euidaccess
call succeeds, but the open fails. The bug is that the second euidaccess
call should not succeed.


/* === Sample Program === */
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int
main(int argc, char **argv)
{
  char *FileName;
  int fd, Ret;

  FileName = argc > 1 ? argv[1] : "/tmp/foo.txt";

  printf("uid=%lu euid=%lu\n", (long) getuid(), (long) geteuid());

  Ret = euidaccess(FileName, R_OK);
  printf("euidaccess: Ret = %d\n", Ret);

  Ret = setuid(2);
  if (Ret) printf("setuid(2) failed\n");
  printf("uid=%lu euid=%lu\n", (long) getuid(), (long) geteuid());

  Ret = euidaccess(FileName, R_OK);
  printf("euidaccess: Ret = %d\n", Ret);

  fd = open(FileName, O_RDONLY);
  printf("open: fd=%d\n", fd);

  return(0);
}

[Prev in Thread]

Current Thread

[Next in Thread]

euidaccess() bug, Kemp, Stuart <=

Prev by Date: [PATCH] to posix/regex.c
Next by Date: compiling modified glibc 3.2.2
Previous by thread: [PATCH] to posix/regex.c
Next by thread: compiling modified glibc 3.2.2
Index(es):
- Date
- Thread