Hi,
Several set*id() family function return values are not checked in pop3d and comsatd code:
pop3d/user.c:
21 int
22 pop3d_begin_session ()
23 {
[...]
39
40 if (auth_data->change_uid)
41 setuid (auth_data->uid);
pop3d/popauth.c:
469 int
470 action_create (void)
471 {
[...]
479
480 /* Make sure we have proper privileges if popauth is setuid */
481 setuid (getuid ());
comsat/comsat.c:
526 int
527 change_user (const char *user)
528 {
529 struct passwd *pw;
530
531 pw = getpwnam (user);
532 if (!pw)
533 {
534 mu_diag_output (MU_DIAG_CRIT, _("no such user: %s"), user);
535 return 1;
536 }
537
538 setgid (pw->pw_gid);
539 setuid (pw->pw_uid);
540 chdir (pw->pw_dir);
541 username = user;
542 return 0;
543 }
There are cases where set*id() functions can fail.
man 2 setuid():
RETURN VALUE
On success, zero is returned. On error, -1 is returned, and errno is set to indicate the error.
Note: there are cases where setuid() can fail even when the caller is UID 0; it is a grave security error to omit checking for a failure return from setuid().
The above code could be abused in different ways to trigger such failures, potentially remotely in the case of pop3d and comsatd. That could lead to either privilege
escalations or user impersonation depending on the occurrence.
I believe the attached patch mitigates the issue, let me know if that suits you.
Regards,
0001-pop3-comsat-fix-missing-checks-for-set-id-return-val.patch