**********************************************************************
DDN MGT Bulletin 58 DCA DDN Defense Communications System
24 Apr 89 Published by: DDN Network Info Center
(
[email protected]) (800) 235-3155
DEFENSE DATA NETWORK
MANAGEMENT BULLETIN
The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network
Information Center under DCA contract as a means of communicating
official policy, procedures and other information of concern to
management personnel at DDN facilities. Back issues may be read
through the TACNEWS server ("@n" command at the TAC) or may be
obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest". The pathname
for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the
bulletin number).
**********************************************************************
SECURITY PROBLEM IN `FCHOWN' COMMAND
APPLICABLE OPERATING SYSTEM: UNIX (unmodified 4.3BSD and 4.3BSD-tahoe)
PROBLEM: There's a security problem associated with 4.3BSD and
4.3BSD-tahoe systems involving the chown(2) system call.
STATUS: The enclosed fix was broadcast on comp.bugs.4bsd.ucb-fixes as
patch V1.77.
CONTACTS: CERT at (412) 268-7090 for general problem information.
SRI/NIC at 1-800-235-3155 for general information.
Your vendor for your site-specific information.
NOTE(1): This bulletin represents the best information available
at this time to fix this problem. As with any program
modification, CHECK WITH YOUR VENDOR BEFORE APPLYING.
NOTE(2): Only those sites which have acquired these operating systems
directly from Berkeley sources and not through a vendor are
known to be affected. It may exist in 4.3BSD derived systems;
contact your vendor for more information.
- ---------------------------- PATCH FOLLOWS ----------------------------
*** /tmp/d04748 Thu Jan 26 21:04:17 1989
- --- ufs_syscalls.c Wed Jan 25 09:44:50 1989
***************
*** 3,9 ****
* All rights reserved. The Berkeley software License Agreement
* specifies the terms and conditions for redistribution.
*
! * @(#)ufs_syscalls.c 7.3 (Berkeley) 4/18/87
*/
#include "param.h"
- --- 3,9 ----
* All rights reserved. The Berkeley software License Agreement
* specifies the terms and conditions for redistribution.
*
! * @(#)ufs_syscalls.c 7.4 (Berkeley) 1/24/89
*/
#include "param.h"
***************
*** 600,607 ****
int uid;
int gid;
} *uap = (struct a *)u.u_ap;
! if ((ip = owner(uap->fname, NOFOLLOW)) == NULL)
return;
u.u_error = chown1(ip, uap->uid, uap->gid);
iput(ip);
- --- 600,612 ----
int uid;
int gid;
} *uap = (struct a *)u.u_ap;
+ register struct nameidata *ndp = &u.u_nd;
! ndp->ni_nameiop = LOOKUP | NOFOLLOW;
! ndp->ni_segflg = UIO_USERSPACE;
! ndp->ni_dirp = uap->fname;
! ip = namei(ndp);
! if (ip == NULL)
return;
u.u_error = chown1(ip, uap->uid, uap->gid);
iput(ip);
***************
*** 647,655 ****
uid = ip->i_uid;
if (gid == -1)
gid = ip->i_gid;
! if (uid != ip->i_uid && !suser())
! return (u.u_error);
! if (gid != ip->i_gid && !groupmember((gid_t)gid) && !suser())
return (u.u_error);
#ifdef QUOTA
if (ip->i_uid == uid) /* this just speeds things a little */
- --- 652,664 ----
uid = ip->i_uid;
if (gid == -1)
gid = ip->i_gid;
! /*
! * If we don't own the file, are trying to change the owner
! * of the file, or are not a member of the target group,
! * the caller must be superuser or the call fails.
! */
! if ((u.u_uid != ip->i_uid || uid != ip->i_uid ||
! !groupmember((gid_t)gid)) && !suser())
return (u.u_error);
#ifdef QUOTA
if (ip->i_uid == uid) /* this just speeds things a little */
- -------
Downloaded From P-80 International Information Systems 304-744-2253
