Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 beta 3/9/83; site nmtvax.UUCP
Path: utzoo!watmath!clyde!burl!we13!ihnp4!drutx!houxe!hogpc!houti!ariel!vax135!floyd!cmcl2!lanl-a!unm-cvax!nmtvax!fred
From: fred@nmtvax.UUCP
Newsgroups: net.bugs.4bsd,net.unix-wizards
Subject: bug in signals and setuid in 4.2 bsd.
Message-ID: <274@nmtvax.UUCP>
Date: Sat, 28-Apr-84 12:37:47 EDT
Article-I.D.: nmtvax.274
Posted: Sat Apr 28 12:37:47 1984
Date-Received: Sun, 29-Apr-84 08:07:13 EDT
Organization: New Mexico Tech, Socorro, N.M.
Lines: 69

Index: /sys/sys/kern_prot.c 4.2 BSD Vax

Description:

There is a bug with signals and setuid in 4.2 bsd. This may have
existed in 4.1, but I am not sure since I don't have source readily
available at the moment. What happens is when a process first starts
up p_uid in the process structure is set to the effective uid. Then
if you do a setuid (or setreuid), it sets p_uid to your REAL user id.
If you them send a signal to yourself, the system searches for a process
with the same pid as yours and has a uid equal to your effective uid
to send the signal requested and fails.

Repeat-By:

  The following is a small program to show the bug run it on your machine.
It should be run by a normal(non-root) user and made set uid to someone else.
The second kill will fail with no such process.

#include <signal.h>
#include <stdio.h>
#include <errno.h>
int tsig();
main()
{
	int euid,uid;
	signal(SIGALRM,tsig);
	printf("uid: %d,euid: %d\n",getuid(),geteuid());
	if(kill(0,SIGALRM) < 0)
		perror("kill");
	setreuid(-1,-1);
	printf("uid: %d,euid: %d\n",getuid(),geteuid());
	if(kill(0,SIGALRM) < 0)
		perror("kill");
}

tsig()
{
  printf("Caught signal.\n");
}

Fix:

The fix is very simple. Just change setreuid() in /sys/sys/kern_prot.c
so that the p_uid is set to the effective uid rather than the real
user id. The following is a diff of what needs to be corrected.

*** kern_prot.c	Fri Apr 27 19:34:16 1984
--- kern_prot.old Tue Feb 28 11:53:20 1984
***************
*** 133,139
  		qstart(getquota(ruid, 0, 0));
  	}
  #endif
! 	u.u_procp->p_uid = euid;
  	u.u_ruid = ruid;
  	u.u_uid = euid;
  }

--- 133,139 -----
  		qstart(getquota(ruid, 0, 0));
  	}
  #endif
! 	u.u_procp->p_uid = ruid;
  	u.u_ruid = ruid;
  	u.u_uid = euid;
  }
-- 

            Fred Romelfanger
            Computer Science Department
            New Mexico Tech

            ..!ucbvax!unmvax!nmtvax!fred    (uucp)
            ..!cmcl2!lanl-a!nmtvax!fred     (uucp)
            fred.nmt@rand-relay             (arpa)
            fred@nmt                        (CSnet)