uidswap

Chimento, Douglas Douglas.Chimento at FMR.COM
Sat May 18 00:26:57 EST 2002 

Thanks Markkus.
Please excuse my ignorance , I am not much of a UNIX programmer but I
believe I see a potential issue.
Suppose ssh in NOT installed setuid root. If you take a look at the function

permanently_set_uid() in uidswap.c  ( line 146 in 3.1p1 ) I believe these
lines below can fail unexpectedly:

	if (setgid(pw->pw_gid) < 0)
		fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));

Here's why , Suppose you "switch" primary group id with the newgrp command. 
( For instance:
[doug at host ~]$ id
uid=1065(doug) gid=100(staff)
[doug at host ~]$ newgrp test 
[doug at host ~]$ id
uid=1065(doug) gid=1001(test)
[doug at host ~]$
) 

Now clearly pw->pw_gid != getgid() and so setgid(pw->pw_gid) will always
fail because the user is no longer a part of pw->pw_gid group.  ( I hope
that made sense ). 

I think the solution would be to do what is done in the restore_uid()
function ( line 108 in uidswap.c ). That is, check  to see if the user is
"privileged".
So we could have this in permanently_set_uid():
{
	if (temporarily_use_uid_effective)
		fatal("restore_uid: temporarily_use_uid effective");
	if (!privileged)
		return;
	if (setgid(pw->pw_gid) < 0)
		fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
	if (setuid(pw->pw_uid) < 0)
		fatal("setuid %u: %.100s", (u_int) pw->pw_uid,
strerror(errno));
}
 
instead of....

{
	if (temporarily_use_uid_effective)
		fatal("restore_uid: temporarily_use_uid effective");
	if (setgid(pw->pw_gid) < 0)
		fatal("setgid %u: %.100s", (u_int) pw->pw_gid,
strerror(errno));
	if (setuid(pw->pw_uid) < 0)
		fatal("setuid %u: %.100s", (u_int) pw->pw_uid,
strerror(errno));
}


What are your thoughts?
Thanks for your time.

-----Original Message-----
From: Markus Friedl [mailto:markus at openbsd.org]
Sent: Thursday, May 16, 2002 7:18 PM
To: Chimento, Douglas
Cc: openssh-unix-dev at mindrot.org
Subject: Re: uidswap


On Thu, May 16, 2002 at 04:32:11PM -0400, Chimento, Douglas wrote:
> What are the consequnences if  you do not install ssh setuid
> root? ( As far I as know no uid swaping occurs ) 

hostbased authentication won't work.

More information about the openssh-unix-dev mailing list