Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!gatech!hubcap!ncrcae!ncrlnk!uunet!mcvax!ukc!warwick!cudcv
From: cudcv@warwick.ac.uk (Rob McMahon)
Newsgroups: comp.unix.wizards
Subject: Re: Re: The Internet Virus--Another issue
Message-ID: <67@titania.warwick.ac.uk>
Date: 17 Dec 88 18:09:03 GMT
References: <17849@glacier.STANFORD.EDU> <4470010@hpindda.HP.COM> <1026@ccnysci.UUCP> <6624@csli.STANFORD.EDU> <66@titania.warwick.ac.uk> <716@auspex.UUCP>
Reply-To: cudcv@warwick.ac.uk (Rob McMahon)
Organization: Computing Services, Warwick University, UK
Lines: 22

In article <66@titania.warwick.ac.uk> I wrote:
>>If you've got an inetd.conf that takes a user to run the daemon as, I would
>>also be careful about using users with -ve uids, someone said this can cause
>>the daemon to get run as root when e.g. setuid(-2) fails (setuid expecting a
>>0 <= number < 2^16).

In article <716@auspex.UUCP> guy@auspex.UUCP (Guy Harris) replies:
>It seems to work under SunOS 4.0; the "pw_uid" field for the user is cast to
>"uid_t", which is "unsigned short", the net result being that it passes 65534
>rather than -2 to "setuid".

Humble apologies.  I really should have checked this out, because it seems to
be safe in 4.3 too.  Make sure you have unusable passwords on your -ve uid
accounts though, because the pw_uid in a struct passwd is an int, and at least
under 4.3 login neither casts it to uid_t nor checks the return from setuid.
I believe this was fixed in SunOS 4.0.1.

Rob
-- 
UUCP:   ...!mcvax!ukc!warwick!cudcv	PHONE:  +44 203 523037
JANET:  cudcv@uk.ac.warwick             ARPA:   cudcv@warwick.ac.uk
Rob McMahon, Computing Services, Warwick University, Coventry CV4 7AL, England