Wireshark-bugs: [Wireshark-bugs] [Bug 3523] New: Inconsistent results of started_with_special_pr
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3523
Summary: Inconsistent results of started_with_special_privs(),
potential security hole
Product: Wireshark
Version: 1.0.7
Platform: x86
OS/Version: All
Status: NEW
Severity: Major
Priority: Medium
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: mkes@xxxxxxxxxxxxxxx
Created an attachment (id=3101)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3101)
Test C++ source code
Build Information:
Not applicable.
--
The alternative implementations of the started_with_special_privs() function in
privileges.c give different results in some situations.
If I compile the attached test on FreeBSD (7.0-RELEASE) that supports the
issetugid() call and run it in different scenarios the results given by the
issetugid() are not the same as those given by the getuid() geteuid() ... based
test.
Nonprivileged user (uid=1000, gid=100):
> /tmp/uidtest
Real user ID = 1000
Effective user ID = 1000
Real group ID = 100
Effective group ID = 100
Running with special privileges (issetugid): no
Running with special privileges (get_X_id): no
The same user using sudo:
> sudo /tmp/uidtest
Password:
Real user ID = 0
Effective user ID = 0
Real group ID = 0
Effective group ID = 0
Running with special privileges (issetugid): no
Running with special privileges (get_X_id): yes
The same user with user/group 's' bits set:
> ls -l /tmp/uidtest
-rwsr-sr-x 1 root wheel 8920 Jun 9 17:22 /tmp/uidtest
> /tmp/uidtest
Real user ID = 1000
Effective user ID = 0
Real group ID = 100
Effective group ID = 0
Running with special privileges (issetugid): yes
Running with special privileges (get_X_id): yes
Runing as root:
# /tmp/uidtest
Real user ID = 0
Effective user ID = 0
Real group ID = 0
Effective group ID = 0
Running with special privileges (issetugid): no
Running with special privileges (get_X_id): yes
The results should be the same for both implementations.
Moreover, the result of the issetugid() based test is a security hole in
combination with the implementation of the init_plugin_dir() function in
epan/filesystem.c when runing using sudo.
If the sudo configuration gives a nonprivileged user the right to run only
wireshark executable as root, the user can override the built in plugin
directory path using the WIRESHARK_PLUGIN_DIR system variable and run arbitrary
plugin code with root privileges.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.