On Tue, 10 Aug 2010, Przemyslaw Frasunek wrote: > This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE. > > 41673 sshd CALL setuid(0xbb8) > 41673 sshd RET setuid 0 > 41673 sshd CALL seteuid(0xbb8) > 41673 sshd RET seteuid 0 > 41673 sshd NAMI "/home/venglin/.login_conf" > 41673 sshd NAMI "/home/venglin/.login_conf.db" > 41673 sshd NAMI "/home/venglin/.login_conf.db"
The above actually seems correct to me. Both uid and euid are set before accessing the capabilities. On 8.1-RELEASE this is different, only euid is set to the user (to make it possible to access this file if the home directory happens to be NFS mounted without root access?). > 41513 ftpd CALL seteuid(0xbb8) > 41513 ftpd RET seteuid 0 > 41513 ftpd NAMI "/home/venglin/.login_conf" > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > 41513 ftpd NAMI "/home/venglin/.login_conf.db" This is clearly wrong, it is still possible to change euid back to 0. It is still possible to setrlimit() anything. > Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which > allowed > to read any file in system with root privileges: > > http://marc.info/?l=bugtraq&m=100101802423376&w=2 Hehe... I was about to try out this one next. -- Janne Snabb / EPIPE Communications [email protected] - http://epipe.com/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
