cfsd uses the seteuid call to change to the users id and doesn't have to
care for premissions any more.. after the users request has been handled
it changes back to root. but while processing the users request euid=users
id and the user is able to kill cfsd or do whatever he wants with the
process.. for example mmaping /proc/<cfsdpid>/mem to memory and change the
code. cfsd seteuid's itself to root again after the file access and
wonders why it should execute "echo * * > /root/.rhosts" *g*.
i currently figured out a sollution for linux only - the
setfs{uid,gid} call. the man page describes exactly this security problem:
--- An explict call to setfsuid is usually only used by pro- grams such as the Linux NFS server that need to change what user ID is used for file access without a correspond- ing change in the real and effective user IDs. A change in the normal user IDs for a program such as the NFS server is a security hole that can expose it to unwanted signals from other user IDs.------ cfs_orig.h Sat Feb 21 01:00:51 1998 +++ cfs.h Sat Feb 21 01:02:47 1998 @@ -200,6 +200,10 @@ #define become(x) ((x)==NULL?(setuidx(ID_EFFECTIVE | ID_REAL,0)||setgidx(ID_EFFECTIVE|ID_REAL,0)) :\ (setgidx(ID_EFFECTIVE|ID_REAL,rgid(x)) || setuidx(ID_EFFECTIVE|ID_REAL, ruid(x)))) #else +#ifdef linux +#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\ + (setfsgid(rgid(x)) || setfsuid(ruid(x)))) +#else #define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\ (setegid(rgid(x)) || seteuid(ruid(x)))) #endif
this should fix the problem for linux.. i haven't tested nor compiled it, cause i'm really to tired for this know ;)
bye, therapy