LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

RLIMIT_NPROC and setuid()

RLIMIT_NPROC and setuid()

Posted Jul 21, 2011 9:02 UTC (Thu) by Comet (subscriber, #11646)
Parent article: RLIMIT_NPROC and setuid()

In part the problem is that *only* Linux can fail setuid(), since only Linux lets an untrusted user manipulate the environment to affect a security-critical trust transition of the superuser account. And not even the environment of the process itself (such as capabilities), but a restriction induced by arbitrary other processes.

Software written on other OSes, where setuid() can only fail for EPERM, is not buggy on those OSes. It might not be *robust*, in being portable to unpredicted future environments, but it's not buggy either. Until it's run on Linux.

Thus CVE-2011-0017 affecting Exim, fixed with 4.74 in January of this year. Exim was originally written on Solaris. When a root-started daemon, with a clean environment, fails to transition to the user which exists solely to be the unprivileged user, you have a potential privilege escalation attack, on just the one OS.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds