From nobody@FreeBSD.org  Tue Oct  2 21:21:58 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id B0C62106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Oct 2012 21:21:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D13E8FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  2 Oct 2012 21:21:58 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q92LLwXC018107
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 2 Oct 2012 21:21:58 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q92LLwMn018106;
	Tue, 2 Oct 2012 21:21:58 GMT
	(envelope-from nobody)
Message-Id: <201210022121.q92LLwMn018106@red.freebsd.org>
Date: Tue, 2 Oct 2012 21:21:58 GMT
From: Erik Cederstrand <erik@cederstrand.dk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Check return value of setuid()
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         172289
>Category:       bin
>Synopsis:       [patch] ping(8): Check return value of setuid()
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    eadler
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 02 21:30:10 UTC 2012
>Closed-Date:    Sun Feb 03 03:48:55 UTC 2013
>Last-Modified:  Sun Feb 03 03:48:55 UTC 2013
>Originator:     Erik Cederstrand
>Release:        CURRENT
>Organization:
>Environment:
>Description:
When dropping root privileges, ping doesn't check the return value of setuid(). If setuid() fails, which it can do for a number of reasons, root privileges are not dropped. This is a privilege escalation.
>How-To-Repeat:

>Fix:
Check return value of setuid and abort if it fails.

Patch attached with submission follows:

Index: ping.c
===================================================================
--- ping.c	(revision 240960)
+++ ping.c	(working copy)
@@ -255,7 +255,8 @@
 	s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 	sockerrno = errno;
 
-	setuid(getuid());
+	if (setuid(getuid()) != 0)
+        err(EX_NOPERM, "setuid() failed");
 	uid = getuid();
 
 	alarmtimeout = df = preload = tos = 0;


>Release-Note:
>Audit-Trail:

From: Erik Cederstrand <erik@cederstrand.dk>
To: bug-followup@FreeBSD.org,
 Eitan Adler <lists@eitanadler.com>
Cc:  
Subject: Re: bin/172289: Check return value of setuid()
Date: Tue, 2 Oct 2012 23:45:58 +0200

 --Apple-Mail=_0AED8E4D-0FE1-4ACE-ADA5-9A2452E0E9E1
 Content-Transfer-Encoding: 7bit
 Content-Type: text/plain;
 	charset=us-ascii
 
 ping6 also lack check on return value, btw. Patch attached.
 
 Erik
 
 
 --Apple-Mail=_0AED8E4D-0FE1-4ACE-ADA5-9A2452E0E9E1
 Content-Disposition: attachment;
 	filename=ping6.txt
 Content-Type: text/plain;
 	name="ping6.txt"
 Content-Transfer-Encoding: 7bit
 
 Index: ping6.c
 ===================================================================
 --- ping6.c	(revision 240960)
 +++ ping6.c	(working copy)
 @@ -702,8 +702,10 @@
  	}
  
  	/* revoke root privilege */
 -	seteuid(getuid());
 -	setuid(getuid());
 +	if (seteuid(getuid()) != 0)
 +			err(1, "seteuid() failed");
 +	if (setuid(getuid()) != 0)
 +			err(1, "setuid() failed");
  
  	if ((options & F_FLOOD) && (options & F_INTERVAL))
  		errx(1, "-f and -i incompatible options");
 
 --Apple-Mail=_0AED8E4D-0FE1-4ACE-ADA5-9A2452E0E9E1--
Responsible-Changed-From-To: freebsd-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Tue Oct 2 21:59:43 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172289 

From: Andriy Gapon <avg@FreeBSD.org>
To: bug-followup@FreeBSD.org, erik@cederstrand.dk
Cc:  
Subject: Re: bin/172289: Check return value of setuid()
Date: Wed, 03 Oct 2012 12:07:41 +0300

 > If setuid() fails, which it can do for a number of reasons, root privileges
 > are not dropped.
 
 Could you please list some reasons for setuid failing when called with root
 privileges?
 
 -- 
 Andriy Gapon

From: Erik Cederstrand <erik@cederstrand.dk>
To: Andriy Gapon <avg@freebsd.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/172289: Check return value of setuid()
Date: Wed, 3 Oct 2012 11:34:41 +0200

 Den 03/10/2012 kl. 11.07 skrev Andriy Gapon <avg@freebsd.org>:
 
 >> If setuid() fails, which it can do for a number of reasons, root =
 privileges
 >> are not dropped.
 >=20
 > Could you please list some reasons for setuid failing when called with =
 root
 > privileges?
 
 I'm not an expert on this, so I'm relying on answers from others. =
 kostik@ had this comment freebsd-security@:
 
     setuid() might also fail for other reasons, e.g. due to custom MAC =
 module.
 
 Then there's the nproc limit described here: =
 http://www.bress.net/blog/archives/34-setuid-madness.html but I'm =
 uncertain if it applies to FreeBSD. For portability reasons, it may be a =
 good idea to check the return value anyway, since it does apply to =
 Linux.
 
 Even if it's not a problem now, if the implementation of setuid() ever =
 changes, intentionally or unintentionally, then it may become a problem.
 
 For reference, I have filed similar PRs 172290 and 172291 for at(1) and =
 lpr(1). This covers 90% of the cases in base.
 
 Erik=

From: Erik Cederstrand <erik@cederstrand.dk>
To: Andriy Gapon <avg@freebsd.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/172289: Check return value of setuid()
Date: Thu, 4 Oct 2012 09:50:04 +0200

 Den 03/10/2012 kl. 11.34 skrev Erik Cederstrand <erik@cederstrand.dk>:
 
 > Den 03/10/2012 kl. 11.07 skrev Andriy Gapon <avg@freebsd.org>:
 >=20
 >>> If setuid() fails, which it can do for a number of reasons, root =
 privileges
 >>> are not dropped.
 >>=20
 >> Could you please list some reasons for setuid failing when called =
 with root
 >> privileges?
 
 For the record, other programs in base already check the return value of =
 setuid. dhclient, cron and sendmail, for example.
 
 Erik=
State-Changed-From-To: open->analyzed 
State-Changed-By: eadler 
State-Changed-When: Thu Oct 11 14:14:13 UTC 2012 
State-Changed-Why:  
awaiting approval / review 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172289 
State-Changed-From-To: analyzed->patched 
State-Changed-By: eadler 
State-Changed-When: Thu Oct 25 23:22:13 UTC 2012 
State-Changed-Why:  
committed in HEAD 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172289 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Sun Feb 3 03:48:54 UTC 2013 
State-Changed-Why:  
MFCed/fixed by now or it will never be MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172289 
>Unformatted:
