bin/172289: Check return value of setuid()
Erik Cederstrand
erik at cederstrand.dk
Tue Oct 2 21:30:12 UTC 2012
>Number: 172289
>Category: bin
>Synopsis: Check return value of setuid()
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 02 21:30:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Erik Cederstrand
>Release: CURRENT
>Organization:
>Environment:
>Description:
When dropping root privileges, ping doesn't check the return value of setuid(). If setuid() fails, which it can do for a number of reasons, root privileges are not dropped. This is a privilege escalation.
>How-To-Repeat:
>Fix:
Check return value of setuid and abort if it fails.
Patch attached with submission follows:
Index: ping.c
===================================================================
--- ping.c (revision 240960)
+++ ping.c (working copy)
@@ -255,7 +255,8 @@
s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
sockerrno = errno;
- setuid(getuid());
+ if (setuid(getuid()) != 0)
+ err(EX_NOPERM, "setuid() failed");
uid = getuid();
alarmtimeout = df = preload = tos = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list