From nobody@FreeBSD.org  Mon Feb 18 04:50:27 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id F364B37B404
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Feb 2002 04:50:25 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g1ICoPA25468;
	Mon, 18 Feb 2002 04:50:25 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200202181250.g1ICoPA25468@freefall.freebsd.org>
Date: Mon, 18 Feb 2002 04:50:25 -0800 (PST)
From: Vitezslav Novy <vita@fio.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sh builtin test command sets real uid to value of euid
X-Send-Pr-Version: www-1.0

>Number:         35076
>Category:       bin
>Synopsis:       sh builtin test command sets real uid to value of euid
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 18 05:00:03 PST 2002
>Closed-Date:    Mon Apr 29 06:19:39 PDT 2002
>Last-Modified:  Mon Apr 29 06:19:39 PDT 2002
>Originator:     Vitezslav Novy
>Release:        4.5-RELEASE
>Organization:
>Environment:
FreeBSD vita.private.fio.cz 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Fri Feb 15 18:40:42 CET 2002     root@vita.private.fio.cz:/usr/src/sys/compile/SAMBA  i386
>Description:
sh builtin test command sets real uid to the value of euid.

Builtin test command uses code of external test command, which
sets uid to value of euid. External command exits after his job, so there is no problem.
But this code used in sh sets uid of sh which typicaly
continues and executes other commands.

Same is valid for gid.
 
>How-To-Repeat:
bash-2.05$ ls -l sh
-r-sr-xr-x  1 root  wheel  452412 Feb 18 12:45 sh
bash-2.05$ id
uid=1001(rumik) gid=1001(rumik) groups=1001(rumik), 0(wheel)
bash-2.05$ cat ttt.sh
id
test a = b
id

bash-2.05$ ./sh ttt.sh
uid=1001(rumik) euid=0(root) gid=1001(rumik) groups=1001(rumik), 0(wheel)
uid=0(root) gid=1001(rumik) groups=1001(rumik), 0(wheel)




>Fix:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: maxim 
State-Changed-When: Wed Mar 6 03:20:24 PST 2002 
State-Changed-Why:  
The fix committed to -current. 


Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Wed Mar 6 03:20:24 PST 2002 
Responsible-Changed-Why:  
I have a fix for -stable. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35076 
State-Changed-From-To: analyzed->closed 
State-Changed-By: maxim 
State-Changed-When: Mon Apr 29 06:17:13 PDT 2002 
State-Changed-Why:  
Fixed in rev. 1.42 and rev. 1.29.2.5 in -current and -stable. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35076 
>Unformatted:
