From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: setuid(geteuid());? |
Date: | 2001-04-21 17:17:34 |
Message-ID: | Pine.LNX.4.30.0104211857560.758-100000@peter.localdomain |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Tom Lane writes:
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > so it seems to make sure the real/saved uid matches the effective uid.
> > Now, considering we don't use uid/euid distinction for anything, I agree
> > it is useless and should be removed.
>
> No, it is NOT useless and must NOT be removed. The point of this little
> machination is to be dead certain that we have given up root rights if
> executed as setuid postgres. The scenario we're concerned about is
> where real uid = root and effective uid = postgres.
If effective uid = postgres, then this will execute setuid(postgres),
which does nothing.
> We want real uid
> to become postgres as well --- otherwise our test to prevent execution
> as root is a waste of time, because nefarious code could become root
> again just by doing setuid. See the setuid man page: if real uid is
> root then setuid(root) will succeed.
That is a valid concern, but the code doesn't actually prevent this. I
just tried
chmod u+s postgres
su -
postmaster -D ...
Then loaded the function
#include <postgres.h>
int32 touch(int32 a) {
if (setuid(0) == -1)
elog(ERROR, "setuid: %m");
elog(DEBUG, "getuid = %d, geteuid = %d", getuid(), geteuid());
system("touch /tmp/foofile");
setuid(500); /* my own */
return a + 1;
}
and the output was
DEBUG: getuid = 0, geteuid = 0
and I got a file /tmp/foofile owned by root.
ISTM that the best way to prevent this exploit would be to check for both
geteuid() == 0 and getuid() == 0 in main.c.
--
Peter Eisentraut peter_e(at)gmx(dot)net http://funkturm.homeip.net/~peter
From | Date | Subject | |
---|---|---|---|
Next Message | Paul A Vixie | 2001-04-21 17:27:19 | well, now i wish we hadn't gutted the ipv6 support |
Previous Message | Bruce Momjian | 2001-04-21 17:10:33 | Re: setuid(geteuid());? |