openssh bugs - Apr 2006 - [Bug 1182] uid 0, gid !=0 fools defensive check in uidswap.c

http://bugzilla.mindrot.org/show_bug.cgi?id=1182

           Summary: uid 0, gid !=0 fools defensive check in uidswap.c
           Product: Portable OpenSSH
           Version: 3.7.1p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P4
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: csmith at stoneboro.uucp.cirr.com


I no longer have a test setup to check if this is still broken -- sorry -- but
I thought you'd like to know about it anyway.

If your uid is 0, the code in permanently_set_uid() to check if its setresgid
worked properly is fooled.

see bugs.gentoo.org #77915 comments 5, 6, 7.

Thanks for openssh.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1182


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Comment #1 from dtucker at zip.com.au  2006-04-17 22:59 -------
Thanks, but this was fixed in 4.0p1, which had this change (uidswap.c rev
1.45):

-       if (old_gid != pw->pw_gid &&
+       if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&

Emulating your falure case ("su - root; newgrp foo") works ok.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.