Bug 1182 - uid 0, gid !=0 fools defensive check in uidswap.c
Summary: uid 0, gid !=0 fools defensive check in uidswap.c
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 3.7.1p1
Hardware: All Linux
: P4 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-12 06:57 AEST by csmith
Modified: 2006-10-07 11:45 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description csmith 2006-04-12 06:57:03 AEST 
I no longer have a test setup to check if this is still broken -- sorry -- but I thought you'd like to know about it anyway.

If your uid is 0, the code in permanently_set_uid() to check if its setresgid worked properly is fooled.

see bugs.gentoo.org #77915 comments 5, 6, 7.

Thanks for openssh.
Comment 1 Darren Tucker 2006-04-17 22:59:34 AEST 
Thanks, but this was fixed in 4.0p1, which had this change (uidswap.c rev 1.45):

-       if (old_gid != pw->pw_gid &&
+       if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&

Emulating your falure case ("su - root; newgrp foo") works ok.
Comment 2 Darren Tucker 2006-10-07 11:45:00 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.