Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: 58.txt

Security problem in `fchown' command




**********************************************************************
DDN MGT Bulletin 58              DCA DDN Defense Communications System
24 Apr 89                        Published by: DDN Network Info Center
                                    (NIC@SRI-NIC.ARPA)  (800) 235-3155
 
                        DEFENSE  DATA  NETWORK
                         MANAGEMENT  BULLETIN
 
The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network
Information Center under DCA contract as a means of communicating
official policy, procedures and other information of concern to
management personnel at DDN facilities.  Back issues may be read
through the TACNEWS server ("@n" command at the TAC) or may be
obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest".  The pathname
for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the
bulletin number).
 
**********************************************************************
 
           SECURITY PROBLEM IN `FCHOWN' COMMAND
 
APPLICABLE OPERATING SYSTEM:  UNIX (unmodified 4.3BSD and 4.3BSD-tahoe)
 
  PROBLEM: There's a security problem associated with 4.3BSD and
           4.3BSD-tahoe systems involving the chown(2) system call.
 
   STATUS: The enclosed fix was broadcast on comp.bugs.4bsd.ucb-fixes as
           patch V1.77.

 
 CONTACTS: CERT at (412) 268-7090  for general problem information.
           SRI/NIC at 1-800-235-3155 for general information.
           Your vendor for your site-specific information.
 
  NOTE(1): This bulletin represents the best information available
           at this time to fix this problem.  As with any program
           modification, CHECK WITH YOUR VENDOR BEFORE APPLYING.
 
  NOTE(2): Only those sites which have acquired these operating systems
           directly from Berkeley sources and not through a vendor are
           known to be affected.  It may exist in 4.3BSD derived systems;
           contact your vendor for more information.
 
 
- ---------------------------- PATCH FOLLOWS ----------------------------
 
*** /tmp/d04748	Thu Jan 26 21:04:17 1989
- --- ufs_syscalls.c	Wed Jan 25 09:44:50 1989
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_syscalls.c	7.3 (Berkeley) 4/18/87
   */
  
  #include "param.h"
- --- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_syscalls.c	7.4 (Berkeley) 1/24/89
   */
  
  #include "param.h"
***************
*** 600,607 ****
  		int	uid;
  		int	gid;
  	} *uap = (struct a *)u.u_ap;
  
! 	if ((ip = owner(uap->fname, NOFOLLOW)) == NULL)
  		return;
  	u.u_error = chown1(ip, uap->uid, uap->gid);
  	iput(ip);
- --- 600,612 ----
  		int	uid;
  		int	gid;
  	} *uap = (struct a *)u.u_ap;
+ 	register struct nameidata *ndp = &u.u_nd;
  
! 	ndp->ni_nameiop = LOOKUP | NOFOLLOW;
! 	ndp->ni_segflg = UIO_USERSPACE;
! 	ndp->ni_dirp = uap->fname;
! 	ip = namei(ndp);
! 	if (ip == NULL)
  		return;
  	u.u_error = chown1(ip, uap->uid, uap->gid);
  	iput(ip);
***************
*** 647,655 ****
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
! 	if (uid != ip->i_uid && !suser())
! 		return (u.u_error);
! 	if (gid != ip->i_gid && !groupmember((gid_t)gid) && !suser())
  		return (u.u_error);
  #ifdef QUOTA
  	if (ip->i_uid == uid)		/* this just speeds things a little */
- --- 652,664 ----
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
! 	/*
! 	 * If we don't own the file, are trying to change the owner
! 	 * of the file, or are not a member of the target group,
! 	 * the caller must be superuser or the call fails.
! 	 */
! 	if ((u.u_uid != ip->i_uid || uid != ip->i_uid ||
! 	    !groupmember((gid_t)gid)) && !suser())
  		return (u.u_error);
  #ifdef QUOTA
  	if (ip->i_uid == uid)		/* this just speeds things a little */

 
- -------



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH