Aucbvax.4319 fa.unix-wizards utzoo!decvax!ucbvax!unix-wizards Wed Oct 7 18:39:52 1981 double setuid programs >From cbosgd!mark@Berkeley Wed Oct 7 18:35:34 1981 I've run up against a problem with programs running suid - suppose they want to invoke another suid program, such as mkdir. mkdir will apply the REAL uid permissions instead of the effective uid, which is destroyed by the suid bit. Netnews is running up against this problem, since it runs suid a non-root user ("newsuser"), and sometimes needs to do mkdirs of subdirectories under one fixed parent directory: /usr/spool/news. Here are the solutions I have to this problem, none of which is wonderful. I would appreciate feedback from anyone who has a better solution. (1) The parent directory in which the mkdirs are done is mode 777. This works, but the child directories get owned by the real uid, and there are a number of paranoid systems around that won't permit any 777 directories ("If there's a 777 dir around, somebody might, God forbid, \put/ something there!") (2) The parent must be owned by newsuser, and is normally 755. The program doing the mkdir first chmods it to 777, then calls mkdir, then chmods it back. This leaves a window during which somebody could make a file, if they were fast, and they can invoke netnews in such a way as to force it to do the mkdir. (But it leaves the dir there, there is no way to get rid of it.) (3) A change to the kernel: suid bits are "stacked", that is, when an suid file is exec'ed, before setting euid to owner(file), it sets ruid to euid. This loses all traces of the original real uid, but might be a better way to convey permissions. (4) A different change to the kernel: allow setuid(geteuid()), which is currently forbidden. I have always thought this should be allowed anyway. Does anyone know of any security holes this would open up? Mark Horton mark@berkeley ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.