Re: setuid(geteuid());?
От | Peter Eisentraut |
---|---|
Тема | Re: setuid(geteuid());? |
Дата | |
Msg-id | Pine.LNX.4.30.0104211857560.758-100000@peter.localdomain обсуждение исходный текст |
Ответ на | Re: setuid(geteuid());? (Tom Lane <tgl@sss.pgh.pa.us>) |
Ответы |
Re: setuid(geteuid());?
Re: setuid(geteuid());? Re: setuid(geteuid());? |
Список | pgsql-hackers |
Tom Lane writes: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > so it seems to make sure the real/saved uid matches the effective uid. > > Now, considering we don't use uid/euid distinction for anything, I agree > > it is useless and should be removed. > > No, it is NOT useless and must NOT be removed. The point of this little > machination is to be dead certain that we have given up root rights if > executed as setuid postgres. The scenario we're concerned about is > where real uid = root and effective uid = postgres. If effective uid = postgres, then this will execute setuid(postgres), which does nothing. > We want real uid > to become postgres as well --- otherwise our test to prevent execution > as root is a waste of time, because nefarious code could become root > again just by doing setuid. See the setuid man page: if real uid is > root then setuid(root) will succeed. That is a valid concern, but the code doesn't actually prevent this. I just tried chmod u+s postgres su - postmaster -D ... Then loaded the function #include <postgres.h> int32 touch(int32 a) { if (setuid(0) == -1) elog(ERROR, "setuid: %m"); elog(DEBUG, "getuid = %d, geteuid = %d",getuid(), geteuid()); system("touch /tmp/foofile"); setuid(500); /* my own */ return a + 1; } and the output was DEBUG: getuid = 0, geteuid = 0 and I got a file /tmp/foofile owned by root. ISTM that the best way to prevent this exploit would be to check for both geteuid() == 0 and getuid() == 0 in main.c. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
В списке pgsql-hackers по дате отправления: