Re: setuid(geteuid());?

Tom Lane writes:

> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > so it seems to make sure the real/saved uid matches the effective uid.
> > Now, considering we don't use uid/euid distinction for anything, I agree
> > it is useless and should be removed.
>
> No, it is NOT useless and must NOT be removed.  The point of this little
> machination is to be dead certain that we have given up root rights if
> executed as setuid postgres.  The scenario we're concerned about is
> where real uid = root and effective uid = postgres.

If effective uid = postgres, then this will execute setuid(postgres),
which does nothing.

> We want real uid
> to become postgres as well --- otherwise our test to prevent execution
> as root is a waste of time, because nefarious code could become root
> again just by doing setuid.  See the setuid man page: if real uid is
> root then setuid(root) will succeed.

That is a valid concern, but the code doesn't actually prevent this.  I
just tried

chmod u+s postgres
su -
postmaster -D ...

Then loaded the function

#include <postgres.h>

int32 touch(int32 a) {   if (setuid(0) == -1)       elog(ERROR, "setuid: %m");   elog(DEBUG, "getuid = %d, geteuid =
%d",getuid(), geteuid());   system("touch /tmp/foofile");   setuid(500); /* my own */   return a + 1;
 
}

and the output was

DEBUG:  getuid = 0, geteuid = 0

and I got a file /tmp/foofile owned by root.

ISTM that the best way to prevent this exploit would be to check for both
geteuid() == 0 and getuid() == 0 in main.c.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter