Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Speaking of 5.8.1.3-test ...

X-seq: zsh-workers 50192
From: Jun T <takimoto-j@xxxxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Speaking of 5.8.1.3-test ...
Date: Tue, 10 May 2022 13:05:41 +0900
Archived-at: <https://zsh.org/workers/50192>
In-reply-to: <CAH+w=7Z+EmB0Bg2rUdOtktkx-rQHFSu-+2CbeYdC20rYZ-Xq8Q@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAH+w=7Z+EmB0Bg2rUdOtktkx-rQHFSu-+2CbeYdC20rYZ-Xq8Q@mail.gmail.com>

> 2022/05/07 11:59, Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
> 
> Has anyone tried this at all?  No reports +/- so far.

If there is anyone familiar with NetBSD please correct me if I'm wrong.

If I run P01privileged as a root on NetBSD-9.2, the following four test
chunks fail:
  EUID set to RUID after disabling PRIVILEGED
  not possible to regain EUID when unprivileged after disabling PRIVILEGED
  not possible to regain EGID when unprivileged after disabling PRIVILEGED
  getpwuid() fails with non-existent RUID and 0 EUID

In all of these cases, error output includes:
zsh:unsetopt:1: PRIVILEGED: can't drop privileges; was able to restore the e[ug]id

"unsetopt privileged" calls
  setresuid(getuid(), getuid(), getuid())
at line 853 in options.c. NetBSD does not have setresuid(), and the wrapper
in openssh_bsd_setres_id.c is used, which calls
  setreuid(ruid, ruid)
But man setreuid(2) (on NetBSD) says:
  "If the real user ID is changed, the saved user ID is
    changed to the new value of the effective user ID."
In the above setreuid(ruid, ruid), the real uid ruid=getuid() does not change,
so the saved uid is not changed (and euid can be restored to it later).

The same manpage also says that setreuid() "is made obsolete by the saved ID
functionality in setuid(2) and seteuid(2)". And man setuid(2) says:
  "The setuid() function sets the real and effective user IDs and the saved
   set-user-ID of the current process to the specified value."
So just calling setuid(getuid()) is enough for dropping the privilege.

A simple workaround would be the following.
Or we can define BROKEN_SETRE{U,G}ID in configure.ac if $host_os is netbsd.

PS
P01privileged passes on FreeBSD-13, Dragonfly-6 and OpenBSD-7.


diff --git a/Src/openssh_bsd_setres_id.c b/Src/openssh_bsd_setres_id.c
index 217a6d074..26c7d3958 100644
--- a/Src/openssh_bsd_setres_id.c
+++ b/Src/openssh_bsd_setres_id.c
@@ -55,6 +55,16 @@
 #include <unistd.h>
 #include <string.h>
 
+#ifdef __NetBSD__
+/*
+ * On NetBSD, setreuid() does not reset the saved uid if the real uid
+ * is not modified. Better to use setuid() that resets all of real,
+ * effective and saved uids to the specified value. Same for setregid().
+ */
+#define BROKEN_SETREUID
+#define BROKEN_SETREGID
+#endif
+
 #if defined(ZSH_IMPLEMENT_SETRESGID) || defined(BROKEN_SETRESGID)
 int
 setresgid(gid_t rgid, gid_t egid, gid_t sgid)

Follow-Ups:
- Re: Speaking of 5.8.1.3-test ...
  - From: Bart Schaefer

References:
- Speaking of 5.8.1.3-test ...
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author