Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!sco!chapman
From: chapman@sco.COM (Brian Chapman)
Newsgroups: comp.unix.wizards
Subject: setpgrp() bug?
Message-ID: <408@sco>
Date: Tue, 1-Dec-87 04:24:59 EST
Article-I.D.: sco.408
Posted: Tue Dec  1 04:24:59 1987
Date-Received: Sat, 5-Dec-87 06:38:46 EST
References: <1765@unc.cs.unc.edu> <910@mcgill-vision.UUCP> <1261@saturn.ucsc.edu>
Reply-To: chapman@sco.COM (Brian Chapman Mx321)
Organization: The Santa Cruz Operation, Inc.
Lines: 46
Keywords: BSD setpgrp kill

In article <1261@saturn.ucsc.edu> haynes@ucscc.UCSC.EDU (Jim Haynes) writes:
< Incidentally, there's a security hole connected with setpgrp()
< in that the system doesn't check whether the pgrp number you
< proffer is already in use by somebody else.  So with a little
< cleverness you can attach to the pgrp of someone else's process
< and proceed to kill it.
< 
< haynes@ucscc.ucsc.edu
< haynes@ucscc.bitnet
< ..ucbvax!ucscc!haynes

Humm, are you talking about BSD or SYS V?

I have SYS V manuals and kernel source right here handy
and there is nothing obviously wrong.

SYSTEM V setpgrp() takes no arguments and sets the process
group number equal to the pid.  Elsewhere in the kernel the
definition of a process group leader is the process where
p->p_pid == p->p_pgrp.

So, you cannot get in someone elses process group as long as
the group leader is alive.  OK... what if the leader is
dead (the user nohuped some processes and logged out).
I looked at exit() and right in the loop where the
children are given to proc 1 there is a check for

if(p->p_pid == q->p_pgrp) q->p_pgrp = 0;
where p is the process dieing and q is the pointer
that is looping through the proc table.

So, you cannot get into a process group as long as the
process group leader is alive and if the group leader
dies then the process group is dissolved.

Well, I looked at kill just for good measure.  The
arguments of 0 "kill my process group" and the
arguments < 0 for killing some process group == abs(arg)
all check that the uid/ruid of the user is either
0 or equal to the p_uid/p_suid of the process.
So even if I missed something in the process group stuff
it doesn't look like kill() would do anything for you.

All this would lead me to believe that you are talking
about BSD.  But then I _know_ you administer BSD systems!
	-- Brian Chapman (ucsc alum)