I'm seeing a bug in ksh93 when run with rgid != egid (and ruid==0),
where rgid is being set inappropriately and changing as a side effect of
a simple test of file mode.
The result is that issetugid() returns 0 when it should not, which
causes resolution of $ORIGIN in RPATH to succeed, which is a security
violation (see ld.so.1(1)), until a file mode is tested at which point
rgid reverts to its correct value and issetugid starts correctly
returning 1 and $ORIGIN to stop being resolved.
I've attached a simple ksh script to demonstrate the basic problem
(Test.ksh), as well as a 1-line C application to report issetugid()
(tstissetugid.c), and the script output (test.out).
The script can be executed (as root) as follows:
# perl -e ' $( = 10; $) = "50 10"; ($(, $)) = (10, 50) ; ; system
"pcred", $$; system "ksh93", "-p", "/tmp/Test.ksh"'
In the test.out file, you can see that simply executing "[ -r
/etc/shadow ]" causes rgid to change its value.
Strangely, if you create a shell script that simply says "exec
/tmp/Test.ksh" and execute *it*, the problem is not seen.
I've reproduced this on OpenSolaris using build 109 (as well as 101b_rc2).
Before filing a bug I thought I'd run this by the list to see if anyone
has anything to add/contribute.
Casper Dik has the following to contribute:
> Ah, so what happens is that ksh93 calls setgid(50); unfortunately, when
> you're root, setgid doesn't just change the real gid; it changes all the gids
> (strange, but true).
>
> Later, it does "setregid(50, 10); access("/etc/shadow"); setregid(10, 50)"
> and suddenly you have an rgid of 10:
>
<snip>
> I think ksh93 shouldn't play with gid/uid. Or sh did that, our ksh didn't.
>
> If we want to change this in ksh93, then we need to change the call
> to setgid() to setregid().
>
-Bob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Test.ksh
URL:
<http://mail.opensolaris.org/pipermail/ksh93-integration-discuss/attachments/20090324/014d9bbd/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tstissetugid.c
Type: text/x-csrc
Size: 127 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/ksh93-integration-discuss/attachments/20090324/014d9bbd/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: test.out
URL:
<http://mail.opensolaris.org/pipermail/ksh93-integration-discuss/attachments/20090324/014d9bbd/attachment-0001.ksh>
