Chris Palmer
2009-Jan-09 06:37 UTC
Incorrect (?) documentation for setreuid(2) could lead to security issues for user code
According to section 6.4.1 of "Setuid Demystified": http://www.cs.ucdavis.edu/~hchen/paper/usenix02.html FreeBSD 4.4's setreuid(2) man page is wrong. The man page for FBSD 7 says the same thing. Is it still wrong, or was the implementation changed to match the documentation? This person noticed the same problem for OBSD: http://www.nabble.com/setreuid()-documentation-is-confusing-and-wrong-td7953251.html
Jilles Tjoelker
2009-Jan-17 14:36 UTC
Incorrect (?) documentation for setreuid(2) could lead to security issues for user code
On Thu, Jan 08, 2009 at 10:20:26PM -0800, Chris Palmer wrote:> According to section 6.4.1 of "Setuid Demystified":> http://www.cs.ucdavis.edu/~hchen/paper/usenix02.html> FreeBSD 4.4's setreuid(2) man page is wrong. The man page for FBSD 7 says > the same thing. Is it still wrong, or was the implementation changed to > match the documentation?> This person noticed the same problem for OBSD:> http://www.nabble.com/setreuid()-documentation-is-confusing-and-wrong-td7953251.htmlYes, it is still wrong. From reading the source: The conditions without root privs are: the ruid parameter must be -1, the old real uid or the old saved uid; the euid parameter must be -1, the old real uid, the old effective uid or the old saved uid. (The man page has this wrong.) The effect on the saved uid is: if the ruid parameter is not -1 or the new effective uid differs from the new real uid, the saved uid is set to the new effective uid. (Note that this means that specifying the real uid for ruid is subtly different from specifying -1, and also that setreuid(-1,-1) is not a no-op.) (The man page describes this in a confusing manner.) The main application for setreuid() nowadays probably is that setreuid(X,X) is a more portable way to drop all uid privileges. setuid(X) is particularly nasty because on SysV it may succeed without having dropped all privileges (hence, the recommendation in the man page seems inappropriate). setresuid(X,X,X) is nice because the setresuid() function is easy to understand and consistent in general, but unfortunately not as portable. Swapping real and effective UIDs to relinquish privileges temporarily is inferior to seteuid(). -- Jilles Tjoelker