search for: user_groupslen

...y rather unlikely) use after free bug in function temporarily_use_uid(), file uidswap.c. --- a/uidswap.c +++ b/uidswap.c @@ -113,8 +113,9 @@ temporarily_use_uid(struct passwd *pw) } } /* Set the effective uid to the given (unprivileged) uid. */ - if (setgroups(user_groupslen, user_groups) < 0) - fatal("setgroups: %.100s", strerror(errno)); + if (user_groupslen > 0 && + (setgroups(user_groupslen, user_groups)) < 0) + fatal("setgroups: %.100s", strerror(errno)); Best regards, Albert

...tatic gid_t saved_egid = 0; +#endif + /* Saved effective uid. */ static int privileged = 0; static int temporarily_use_uid_effective = 0; -static uid_t saved_euid = 0; -static gid_t saved_egid; static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; static int saved_egroupslen = -1, user_groupslen = -1; - + /* * Temporarily changes to the given uid. If the effective user * id is not root, this does nothing. This call cannot be nested. @@ -44,42 +48,57 @@ void temporarily_use_uid(struct passwd *pw) { - /* Save the current euid, and egroups. */ - saved_euid = geteuid(); - debug(&...

...ap.c 19 Feb 2004 23:50:38 -0000 @@ -38,7 +38,7 @@ /* Saved effective uid. */ static int privileged = 0; static int temporarily_use_uid_effective = 0; -static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; +static gid_t *saved_egroups, *user_groups; static int saved_egroupslen = -1, user_groupslen = -1; /* @@ -68,17 +68,27 @@ privileged = 1; temporarily_use_uid_effective = 1; - saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + + saved_egroupslen = getgroups(0, NULL); if (saved_egroupslen < 0) fatal("getgroups: %.100s", strerror(errno)); + saved_egroups =...

...ed(HAVE_CYGWIN) && !defined(_UWIN) /* * Push the appropriate streams modules, as described in Solaris pts(7). * HP-UX pts(7) doesn't have ttcompat module. *** uidswap.c.orig Thu Dec 20 22:45:52 2001 --- uidswap.c Thu May 30 16:36:30 2002 *************** *** 80,86 **** if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } ! #ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); --- 80,86 ---- if (user...

...e[NGROUPS_MAX + 1]; /* +1 for base/primary group */ ./groupaccess.c: gid_t groups_bygid[NGROUPS_MAX + 1]; ./uidswap.c:static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; ./uidswap.c: saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); ./uidswap.c: user_groupslen = getgroups(NGROUPS_MAX, user_groups); POSIX defined sysconf in order to avoid this. By using sysconf(_SC_NGROUPS_MAX) this value is determined at run-time. Sven

...+ + MANTYPE=cat + ;; *-*-sysv4.2*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" *** uidswap.c Thu Apr 26 15:10:15 2001 --- uidswap.c.new Mon Oct 8 11:33:42 2001 *************** *** 85,91 **** if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); #endif /* !HAVE_CYWIN */ ! #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) debug("setgid %u: %...

...+) { Could this loop breaks when cmds[i].c is null? if so At line 1148: cmd = cmds[i].c; cmd is null, which is passed to strlen at line 1237. 5. Use after free file: uidswap.c function: temporarily_use_uid At line 113: xfree(user_groups); user_groups is freed and is used at line 117: if (setgroups(user_groupslen, user_groups) < 0) as a function argument. 6. Use After free file: monitor.c function: At line 1219: debug3("%s: key %p is %s", __func__, key, allowed ? "allowed" : "not allowed"); in which key is release at line 1198: key_free(key); Hope for your replies! Regard...

If we can get people to test their platforms against the last snapshot/cvs tree I'd be greatful. (http://www.openssh.com/portable.html) I know NeXT platform has problems. I'm going to spend tonight looking at it. Also, take a moment to see what manpage type ./configure decided for your system and if it's 'cat' please let us know. Thanks. - Ben