Opinion on checking return value of setuid(getuid())?
Erik Cederstrand
erik at cederstrand.dk
Tue Oct 2 21:56:43 UTC 2012
Den 02/10/2012 kl. 23.44 skrev Xin Li <delphij at delphij.net>:
> On 10/02/12 07:45, Eitan Adler wrote:
>> On 2 October 2012 08:38, Erik Cederstrand <erik at cederstrand.dk>
>> wrote:
>>> Den 01/10/2012 kl. 13.55 skrev Eitan Adler
>>> <lists at eitanadler.com>:
>>>
>>>> On 1 October 2012 07:08, Konstantin Belousov
>>>> <kostikbel at gmail.com> wrote:
>>>>> I do not believe in the dreadful 'flood ping' security
>>>>> breach. Is a local escalation possible with non-dropped root
>>>>> ?
>>>>
>>>> It is clearly a local escalation: a non-root user can do
>>>> something which was intended only for root. It is a different
>>>> question how serious the breach is.
>>>
>>> Are there any objections to the path I attached in my first post?
>>> To the approach in general? If not, I'll send a PR so it doesn't
>>> get lost.
>> Not by me. Please cc me on the PR as I'll commit if no one else
>> objects.
>
> It doesn't seem hurt in general but if you are going to commit it
> please also change the other instances in the base system.
I'll do my best. There are around 200 of these in base, but some are the result of macro expansion so it may not be too bad.
Erik
More information about the freebsd-security
mailing list