From: utzoo!decvax!harpo!eagle!mhtsa!alice!sjb Newsgroups: net.bugs.4bsd Title: Fix to 4.1bsd setgid problem Article-I.D.: alice.1386 Posted: Sun Jan 9 23:16:37 1983 Received: Mon Jan 10 03:11:54 1983 The following I recently posted to net.unix-wizards but neglected to post it here. So sorry. >From sjb (Adam L. Buchsbaum) Sun Jan 9 23:13:39 1983 Subject: Re: protect kmem and setgid programs Newsgroups: net.unix-wizards Unfortunately, 4.1bsd allows anyone who owns a file to set the setgid bit regardless of whether or not they belong in its group, and if you can cause a setgid program to dump core, you have a file which belongs to a supposedly priviledged group; you can then put anything you want in that file and make it setgid. There is a two line fix to the kernel which I installed on our comet a few months ago. It does not permit a person to set the setgid bit of a file unless his/her gid matches that of the file. The fix follows: *** osys4.c Sun Jan 9 23:01:51 1983 --- sys4.c Sun Jan 9 23:01:34 1983 *************** *** 261,266 ip->i_mode &= ~07777; if (u.u_uid) uap->fmode &= ~ISVTX; ip->i_mode |= uap->fmode&07777; ip->i_flag |= ICHG; if (ip->i_flag&ITEXT && (ip->i_mode&ISVTX)==0) --- 261,268 ----- ip->i_mode &= ~07777; if (u.u_uid) uap->fmode &= ~ISVTX; + if (u.u_uid && u.u_gid != ip->i_gid) + uap->fmode &= ~ISGID; ip->i_mode |= uap->fmode&07777; ip->i_flag |= ICHG; if (ip->i_flag&ITEXT && (ip->i_mode&ISVTX)==0)