From donn@u.washington.edu Tue Dec 12 17:51:16 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA10521
for <bugs@RT-11.MIT.EDU>; Tue, 12 Dec 2000 17:51:15 -0500 (EST)
Received: from melville.u.washington.edu by MIT.EDU with SMTP
id AA11399; Tue, 12 Dec 00 17:52:45 EST
Received: (from donn@localhost)
by melville.u.washington.edu (8.9.3+UW00.05/8.9.3+UW00.12) id OAA268270;
Tue, 12 Dec 2000 14:51:14 -0800
Message-Id: <200012122251.OAA268270@melville.u.washington.edu>
Date: Tue, 12 Dec 2000 14:51:14 -0800
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Cc:
Subject: AIX 4.3 seteuid broken
X-Send-Pr-Version: 3.99
University of Washington
which exposes the process to root quota issues that would
normally be immaterial for root.
In the fix, however, I proposed to use setuidx(), and that
turns out to be much too generous with privilege, and I want
to withdraw that. That is my main objective here.
The following is offered as a substitute, though IBM has
indicated they would fix seteuid() in future maintenance
releases. My fix here is to set only the privilege bit that
pertains to the observed problem.
the original problem, root's process quota vs. seteuid.
--- seteuid.c Tue Dec 12 12:55:52 2000
***************
*** 34,47 ****
#include <stdlib.h>
#endif
#include <errno.h>
int krb5_seteuid(euid_in)
int euid_in;
{
uid_t euid = (uid_t) euid_in;
#if defined(HAVE_SETEUID)
! return (seteuid(euid));
#else
#if defined(HAVE_SETRESUID)
return (setresuid(getuid(), euid, geteuid()));
--- 34,87 ----
#include <stdlib.h>
#endif
+ #ifdef _AIX
+ /*
+ ** AIX 4.3 seteuid clears some privilege bits that would (probably
+ ** among other things) allow the process to exceed maximum process limit.
+ ** Then when the process attempts to fork, process accounting is apparently
+ ** done against the real UID. In something like ftpd, that's 0 (root),
+ ** and the processes may very well be over the limit, since of course
+ ** root isn't subject to the limit. So ftpd can't spawn an "ls".
+ ** We brought this to IBM's attention, and a fix is supposed to be on
+ ** the way, some day. To work around this brain damage for ftpd's sake,
+ ** we can either turn the privs back on afterwards (!) or use setuidx().
+ **
+ ** It turns out that either leaves the potential to create files in
+ ** directories owned by root, which we do not like. setuidx() does
+ ** this, and full priv restoration does it. However, I find that
+ ** I can avoid the quota problem with a single bit, SET_PROC_RAC, so
+ ** that's my work-around.
+ **
+ ** Donn Cave, University of Washington
+ */
+
+ /* Guess if this is AIX 4.3 */
+ #include <sys/var.h>
+ #ifdef SYSP_GET
+ #define USE_SETPRIV 1
+ #include <sys/priv.h>
+ #endif
+ #endif /* AIX */
+
#include <errno.h>
int krb5_seteuid(euid_in)
int euid_in;
{
+ int rc;
uid_t euid = (uid_t) euid_in;
+ #if defined(USE_SETPRIV)
+ priv_t pv;
+ #endif
#if defined(HAVE_SETEUID)
! rc = seteuid(euid);
! #if defined(USE_SETPRIV)
! /* setpriv actually returns int, but krb5_seteuid returns per seteuid */
! memset(&pv, 0, sizeof(pv));
! pv.pv_priv[0] |= 1 << (SET_PROC_RAC - 1);
! setpriv(PRIV_EFFECTIVE|PRIV_ADD, &pv, sizeof(pv));
! #endif
! return rc;
#else
#if defined(HAVE_SETRESUID)
return (setresuid(getuid(), euid, geteuid()));
From: Sam Hartman <hartmans@MIT.EDU>
To: donn@u.washington.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/908: AIX 4.3 seteuid broken
Date: 21 Dec 2000 23:31:49 -0500
I strongly recommend against accepting AIX specific privilege handling
patches. AIX 's extended privilege system was under the 3.x release
of AIX and certainly under the 4.3.3 documentation I examined not a
public interface. The intent from 3.2.5 on was to have seteuid behave
as application porters expect.
Especially since IBM has accepted the bug, I suggest that we do not do
anything special on AIX.
State-Changed-From-To: open-closed
State-Changed-By: raeburn
State-Changed-When: Thu Feb 1 22:30:37 2001
State-Changed-Why:
Moved info to krb5-libs/873.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id RAA10521
for <bugs@RT-11.MIT.EDU>; Tue, 12 Dec 2000 17:51:15 -0500 (EST)
Received: from melville.u.washington.edu by MIT.EDU with SMTP
id AA11399; Tue, 12 Dec 00 17:52:45 EST
Received: (from donn@localhost)
by melville.u.washington.edu (8.9.3+UW00.05/8.9.3+UW00.12) id OAA268270;
Tue, 12 Dec 2000 14:51:14 -0800
Message-Id: <200012122251.OAA268270@melville.u.washington.edu>
Date: Tue, 12 Dec 2000 14:51:14 -0800
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Cc:
Subject: AIX 4.3 seteuid broken
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 908
>Category: krb5-libs
>Synopsis: Update to krb5-libs/873
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Dec 12 17:52:00 EST 2000
>Last-Modified: Thu Feb 1 22:31:46 EST 2001
>Originator: Donn Cave
>Organization:
University Computing Services>Category: krb5-libs
>Synopsis: Update to krb5-libs/873
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Dec 12 17:52:00 EST 2000
>Last-Modified: Thu Feb 1 22:31:46 EST 2001
>Originator: Donn Cave
>Organization:
University of Washington
Show quoted text
>Release: krb5-1.2.1
>Environment:
AIX 4.3>Environment:
Show quoted text
>Description:
In krb5-libs/873 I reported a problem with AIX 4.3 seteuid(),which exposes the process to root quota issues that would
normally be immaterial for root.
In the fix, however, I proposed to use setuidx(), and that
turns out to be much too generous with privilege, and I want
to withdraw that. That is my main objective here.
The following is offered as a substitute, though IBM has
indicated they would fix seteuid() in future maintenance
releases. My fix here is to set only the privilege bit that
pertains to the observed problem.
Show quoted text
>How-To-Repeat:
Ftp to host with many root processes, try to "ls" (this showsthe original problem, root's process quota vs. seteuid.
Show quoted text
>Fix:
*** seteuid.c.dist Thu Jun 29 19:28:14 2000--- seteuid.c Tue Dec 12 12:55:52 2000
***************
*** 34,47 ****
#include <stdlib.h>
#endif
#include <errno.h>
int krb5_seteuid(euid_in)
int euid_in;
{
uid_t euid = (uid_t) euid_in;
#if defined(HAVE_SETEUID)
! return (seteuid(euid));
#else
#if defined(HAVE_SETRESUID)
return (setresuid(getuid(), euid, geteuid()));
--- 34,87 ----
#include <stdlib.h>
#endif
+ #ifdef _AIX
+ /*
+ ** AIX 4.3 seteuid clears some privilege bits that would (probably
+ ** among other things) allow the process to exceed maximum process limit.
+ ** Then when the process attempts to fork, process accounting is apparently
+ ** done against the real UID. In something like ftpd, that's 0 (root),
+ ** and the processes may very well be over the limit, since of course
+ ** root isn't subject to the limit. So ftpd can't spawn an "ls".
+ ** We brought this to IBM's attention, and a fix is supposed to be on
+ ** the way, some day. To work around this brain damage for ftpd's sake,
+ ** we can either turn the privs back on afterwards (!) or use setuidx().
+ **
+ ** It turns out that either leaves the potential to create files in
+ ** directories owned by root, which we do not like. setuidx() does
+ ** this, and full priv restoration does it. However, I find that
+ ** I can avoid the quota problem with a single bit, SET_PROC_RAC, so
+ ** that's my work-around.
+ **
+ ** Donn Cave, University of Washington
+ */
+
+ /* Guess if this is AIX 4.3 */
+ #include <sys/var.h>
+ #ifdef SYSP_GET
+ #define USE_SETPRIV 1
+ #include <sys/priv.h>
+ #endif
+ #endif /* AIX */
+
#include <errno.h>
int krb5_seteuid(euid_in)
int euid_in;
{
+ int rc;
uid_t euid = (uid_t) euid_in;
+ #if defined(USE_SETPRIV)
+ priv_t pv;
+ #endif
#if defined(HAVE_SETEUID)
! rc = seteuid(euid);
! #if defined(USE_SETPRIV)
! /* setpriv actually returns int, but krb5_seteuid returns per seteuid */
! memset(&pv, 0, sizeof(pv));
! pv.pv_priv[0] |= 1 << (SET_PROC_RAC - 1);
! setpriv(PRIV_EFFECTIVE|PRIV_ADD, &pv, sizeof(pv));
! #endif
! return rc;
#else
#if defined(HAVE_SETRESUID)
return (setresuid(getuid(), euid, geteuid()));
Show quoted text
>Audit-Trail:
From: Sam Hartman <hartmans@MIT.EDU>
To: donn@u.washington.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/908: AIX 4.3 seteuid broken
Date: 21 Dec 2000 23:31:49 -0500
I strongly recommend against accepting AIX specific privilege handling
patches. AIX 's extended privilege system was under the 3.x release
of AIX and certainly under the 4.3.3 documentation I examined not a
public interface. The intent from 3.2.5 on was to have seteuid behave
as application porters expect.
Especially since IBM has accepted the bug, I suggest that we do not do
anything special on AIX.
State-Changed-From-To: open-closed
State-Changed-By: raeburn
State-Changed-When: Thu Feb 1 22:30:37 2001
State-Changed-Why:
Moved info to krb5-libs/873.
Show quoted text
>Unformatted: