[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

non-setuid rcp problem

To: heimdal-discuss@sics.se
Subject: non-setuid rcp problem
From: Kevin Sullivan <ksulliva@psc.edu>
Date: Thu, 27 Mar 2008 13:34:02 -0400
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Kevin Sullivan <ksulliva@psc.edu>

I've been having a problem with kerberized rcp, at least with Heimdal  
1.0 and newer.  Whenever I rcp something from a remote host to the  
local machine:
   rcp host:file file
I get an error code of 1 from rcp.  This messes up some scripts we use  
which check error codes.

We do not install rcp setuid.

Looking at appl/rcp/rcp.c, line 278, in tolocal() I see:
                 if (seteuid(0) < 0)
                         exit(1);
It looks like this is guaranteed to fail if rcp is not installed  
setuid!  Also, I don't see where the effective uid was ever changed  
from 0 in this code path (though I've not looked closely), so there  
might be a vulnerability here.

This code is identical in Heimdal 1.1 and the development branch.

I think that the correct fix is either not doing the seteuid if we're  
not setuid, or (simpler) not checking the return code from this  
seteuid.  If we can't become root, oh well.

	-Kevin

This is a digitally signed message part

Prev by Date: Re: Bad behavior vith LDAP backend.
Next by Date: OpenLDAP Backend Guide?
Prev by thread: Re: Bad behavior vith LDAP backend.
Next by thread: OpenLDAP Backend Guide?
Index(es):
- Date
- Thread