Re: setegid bug

In <20070607213650.c02130bf.stas@xxxxxxxxxxx>, Stanislav Sedov <stas@xxxxxxxxxxx> typed:
Recently several FreeBSD samba users reported a scary problem with
samba (http://bugzilla.samba.org/?id=3990). Further research in
cooperation with Timur Bakeyev (timur) showed, that we have a little
problem with setegid implementation. In FreeBSD (and even in
4.4BSD-Lite2) egid of the process is merely groups[0], so calling
seteuid function we simply override the first of supplementary groups.
However, POSIX says that not rgid, not any of supplementary groups
should bot be rewritten in setegid call.

Probably, some of old-school committers remembered the initial
intention of making egid equal to groups[0]? Probably, I have missed
something?

The old school in this case is UC Berkeley. I found this behavior in
4.1BSD. Since it lets you violate ass-backwards group security
settings (wherein you create a group "undesirables", and have files
owned by that group with group bits 0 to keep them out) by removing
yourself from that group, I reported it as a security bug to
CSRG. Mike's response was that the security model was the bug, not
this problem.

I suspect it was done that way in the initial implementation, and
nobody has ever felt that it should be fixed.

<mike
--
Mike Meyer <mwm@xxxxxxxxx> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
_______________________________________________
freebsd-arch@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@xxxxxxxxxxx"