On Tuesday, July 2, 2002, at 11:02 AM, James Kehl wrote:
> Can I please beg you to make gdomap run as a user other than root by > default!? Yes ... but I won't. It has to run as root to bind to the (priviliged) gdomap port registered with IANA. > I am using gnustep-base-1.3.3 compiled from source; running on RedHat > Linux 7.3. Everything is default apart from using flattened paths in > gnustep-make. > > Today's problem: > -- > [shykta@mixmaster shykta]$ id -a > uid=500(shykta) gid=100(users) groups=100(users),3(sys),20(games) > [shykta@mixmaster shykta]$ la /etc/passwd > -rw-r--r-- 1 root root 1592 Jul 2 19:15 /etc/passwd > [shykta@mixmaster shykta]$ tail -n 1 /etc/passwd > demouser:x:505:505::/home/demouser:/bin/bash > [shykta@mixmaster shykta]$ /usr/GNUstep/System/Tools/gdomap -I > /etc/passwd > [shykta@mixmaster shykta]$ tail -n 1 /etc/passwd > 28812 > -- > > That's a very, very bad thing to happen. Yes ... potentially destructive. I fixed it in CVS by moving the code which writes the pid to file, so that it executes after gdomap setuids away from root ... I don't know why it was before that point ... a big oversight. > I'm sure there's even a creative way for a unprivileged user to get > root access using this bug. I doubt it - the only way I can think of is if writing the pid to a file owned by another root process caused that process to do something it shouldn't. I'd probably consider that a bug in the other program. > I don't want to sound unfriendly (I like GNUstep) but I'm going to wait > 7 days for a response to this email, and if I haven't heard from you by > then, I'll be thinking about how to disclose this. > ( a' la RFPolicy - http://www.wiretrip.net/rfp/policy.html ) Well, by mailing to a public mailing list which is mirrored to a usenet newsgroup, you've already done that! I recommend anyone running GNUstep on a system where there are local users able to access the gdomap executable to upgrade gdomap from CVS immediately. _______________________________________________ Bug-gnustep mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-gnustep
