From Tor.Egge@idt.ntnu.no  Mon Feb 17 19:16:37 1997
Received: from pat.idt.unit.no (0@pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA08284
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 17 Feb 1997 19:16:20 -0800 (PST)
Received: from presis.idt.ntnu.no (tegge@presis.idt.ntnu.no [129.241.111.173])
	by pat.idt.unit.no (8.8.5/8.8.5) with ESMTP id EAA07911
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 18 Feb 1997 04:15:31 +0100 (MET)
Received: (from tegge@localhost)
	by presis.idt.ntnu.no (8.8.5/8.8.5) id EAA15772;
	Tue, 18 Feb 1997 04:15:22 +0100 (MET)
Message-Id: <199702180315.EAA15772@presis.idt.ntnu.no>
Date: Tue, 18 Feb 1997 04:15:22 +0100 (MET)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: execve() does not handle the P_SUGID flag correctly.
X-Send-Pr-Version: 3.2

>Number:         2757
>Category:       kern
>Synopsis:       execve() does not handle the P_SUGID process flag correctly.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 17 19:20:01 PST 1997
>Closed-Date:    Tue Feb 18 19:54:53 PST 1997
>Last-Modified:  Tue Feb 18 19:55:15 PST 1997
>Originator:     Tor Egge
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Environment:

FreeBSD presis.idt.ntnu.no 3.0-CURRENT FreeBSD 3.0-CURRENT #0: Sun Feb  2 18:59:48 MET 1997     root@ikke.idt.unit.no:/usr/src/sys-UP/compile/PRESIS  i386

>Description:

execve() clears the P_SUGID process flag in execve() if the binary
executed does not have suid or sgid permission bits set.

This also happens when the effective uid is different from the real
uid or the effective gid is different from the real gid. Under
these circumstances, the process still has set id privileges and
the P_SUGID flag should not be cleared.

>How-To-Repeat:

>Fix:
	
Index: kern_exec.c
===================================================================
RCS file: /export/akg1/cvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.49
diff -c -r1.49 kern_exec.c
*** kern_exec.c	1997/01/14 06:43:19	1.49
--- kern_exec.c	1997/01/26 16:36:08
***************
*** 285,291 ****
  			p->p_ucred->cr_groups[0] = attr.va_gid;
  		p->p_flag |= P_SUGID;
  	} else {
! 		p->p_flag &= ~P_SUGID;
  	}
  
  	/*
--- 285,293 ----
  			p->p_ucred->cr_groups[0] = attr.va_gid;
  		p->p_flag |= P_SUGID;
  	} else {
! 	        if (p->p_ucred->cr_uid == p->p_cred->p_ruid &&
! 		    p->p_ucred->cr_gid == p->p_cred->p_rgid)
! 			p->p_flag &= ~P_SUGID;
  	}
  
  	/*


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: davidg 
State-Changed-When: Tue Feb 18 19:54:53 PST 1997 
State-Changed-Why:  
Suggested change was applied. Thanks! 
>Unformatted:
