Re: Core file anomalies under BSDi 3.0

Stacey Son (sson@ISERVER.COM)
Fri, 20 Jun 1997 17:17:25 -0600

[Stuff Deleted]

> A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
> program with priviliges isn't neccesary.

It seems BSDI broke this in 3.0. BSD/OS 2.1 does not have this
problem as far as I can tell. Below is a quick workaround until BSDI
comes out with something. Apply the patch to kern/kern_sig.c. A real
fix would require setting the P_SUGID flag in the exec handler in
kern_exec.c.

> B.) BSDi _does_ however, check if the file exists, so it's quite
> impossible to overwrite files.

Not exactly. Try "ln -s /etc/master.passwd /tmp/lpr.core", for
example. :-0 It seems if the permissions are 0600 on the file you link
to it will overwrite the file.

Regards,

stacey@iserver.com

---snip--snip------------------------------------------------------------
*** kern_sig.c.orig Tue Oct 15 12:23:05 1996
--- kern_sig.c Fri Jun 20 16:26:08 1997
***************
*** 1198,1206 ****
* Don't dump if not root and the process has used set user or
* group privileges.
*/
! if (p->p_flag & P_SUGID &&
! (error = suser(p->p_ucred, &p->p_acflag)) != 0)
! return (error);

/* Don't dump if will exceed file size limit. */
if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
--- 1198,1208 ----
* Don't dump if not root and the process has used set user or
* group privileges.
*/
! if ((p->p_flag & P_SUGID || p->p_cred->p_ruid != p->p_ucred->cr_uid) &&
! /*(error = suser(p->p_ucred, &p->p_acflag)) != 0)
! return (error);*/
! p->p_cred->p_ruid)
! return EPERM;

/* Don't dump if will exceed file size limit. */
if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=