Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!sco!chapman From: chapman@sco.COM (Brian Chapman) Newsgroups: comp.unix.wizards Subject: setpgrp() bug? Message-ID: <408@sco> Date: Tue, 1-Dec-87 04:24:59 EST Article-I.D.: sco.408 Posted: Tue Dec 1 04:24:59 1987 Date-Received: Sat, 5-Dec-87 06:38:46 EST References: <1765@unc.cs.unc.edu> <910@mcgill-vision.UUCP> <1261@saturn.ucsc.edu> Reply-To: chapman@sco.COM (Brian Chapman Mx321) Organization: The Santa Cruz Operation, Inc. Lines: 46 Keywords: BSD setpgrp kill In article <1261@saturn.ucsc.edu> haynes@ucscc.UCSC.EDU (Jim Haynes) writes: < Incidentally, there's a security hole connected with setpgrp() < in that the system doesn't check whether the pgrp number you < proffer is already in use by somebody else. So with a little < cleverness you can attach to the pgrp of someone else's process < and proceed to kill it. < < haynes@ucscc.ucsc.edu < haynes@ucscc.bitnet < ..ucbvax!ucscc!haynes Humm, are you talking about BSD or SYS V? I have SYS V manuals and kernel source right here handy and there is nothing obviously wrong. SYSTEM V setpgrp() takes no arguments and sets the process group number equal to the pid. Elsewhere in the kernel the definition of a process group leader is the process where p->p_pid == p->p_pgrp. So, you cannot get in someone elses process group as long as the group leader is alive. OK... what if the leader is dead (the user nohuped some processes and logged out). I looked at exit() and right in the loop where the children are given to proc 1 there is a check for if(p->p_pid == q->p_pgrp) q->p_pgrp = 0; where p is the process dieing and q is the pointer that is looping through the proc table. So, you cannot get into a process group as long as the process group leader is alive and if the group leader dies then the process group is dissolved. Well, I looked at kill just for good measure. The arguments of 0 "kill my process group" and the arguments < 0 for killing some process group == abs(arg) all check that the uid/ruid of the user is either 0 or equal to the p_uid/p_suid of the process. So even if I missed something in the process group stuff it doesn't look like kill() would do anything for you. All this would lead me to believe that you are talking about BSD. But then I _know_ you administer BSD systems! -- Brian Chapman (ucsc alum)