chown syscall security bug (V1.77 from 4bsd)

Steven M. Schultz sms at etn-wlv.eaton.com
Sat May 6 17:01:46 AEST 1989 

Subject: security problem with chown syscall
Index:	sys/ufs_syscalls.c 2.10BSD

Description:
	V1.77 (re-fix for chown security problem).  Originally posted for
	4.3BSD, this is the 2.10.1BSD counterpart.

>	There's a security problem associated with 4.3BSD and 4.3BSD-tahoe
>	systems involving the chown(2) system call.  It may exist in
>	4.3BSD derived systems; contact your vendor for more information.

Fix:
*** ufs_syscal.old	Sat Apr 29 20:20:18 1989
--- ufs_syscalls.c	Sat Apr 29 20:24:44 1989
***************
*** 3,9 ****
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_syscalls.c	1.1 (2.10BSD Berkeley) 12/1/86
   */
  
  #include "param.h"
--- 3,9 ----
   * All rights reserved.  The Berkeley software License Agreement
   * specifies the terms and conditions for redistribution.
   *
!  *	@(#)ufs_syscalls.c	1.2 (2.10BSD Berkeley) 4/29/89
   */
  
  #include "param.h"
***************
*** 577,583 ****
  		int	gid;
  	} *uap = (struct a *)u.u_ap;
  
! 	if ((ip = owner(uap->fname, NOFOLLOW)) == NULL)
  		return;
  	u.u_error = chown1(ip, uap->uid, uap->gid);
  	iput(ip);
--- 577,586 ----
  		int	gid;
  	} *uap = (struct a *)u.u_ap;
  
! 	u.u_segflg = UIO_USERSPACE;
! 	u.u_dirp = uap->fname;
! 	ip = namei(LOOKUP | NOFOLLOW);
! 	if (ip == NULL)
  		return;
  	u.u_error = chown1(ip, uap->uid, uap->gid);
  	iput(ip);
***************
*** 622,630 ****
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
! 	if (uid != ip->i_uid && !suser())
! 		return (u.u_error);
! 	if (gid != ip->i_gid && !groupmember((gid_t)gid) && !suser())
  		return (u.u_error);
  #ifdef QUOTA
  	QUOTAMAP();
--- 625,637 ----
  		uid = ip->i_uid;
  	if (gid == -1)
  		gid = ip->i_gid;
! 	/*
! 	 * If we don't own the file, are trying to change the owner
! 	 * of the file, or are not a member of the target group,
! 	 * the caller must be superuser or the call fails.
! 	 */
! 	if ((u.u_uid != ip->i_uid || uid != ip->i_uid ||
! 	    !groupmember((gid_t)gid)) && !suser())
  		return (u.u_error);
  #ifdef QUOTA
  	QUOTAMAP();

More information about the Comp.bugs.2bsd mailing list