Some thoughts about security in correct_password.c

Tito farmatito at tiscali.it
Fri Dec 23 14:41:58 UTC 2005


On Friday 23 December 2005 15:00, you wrote:
> Tito,
> 
> >         if (( strcmp ( pw-> pw_passwd, "x" ) == 0 ) || ( strcmp ( pw-> pw_passwd, "*" ) == 0 )) {
> > +               seteuid(0);
> 
> Its nonsese for me. If euid!=0 you can`t allow usage any seteuid(n).
> 
> 
> --w
> vodz
> 
From man setuid:
      Thus, a setuid-root program wishing to  temporarily  drop  root  privi-
       leges,  assume  the  identity  of a non-root user, and then regain root
       privileges afterwards cannot use setuid.  You can accomplish this  with
       the (non-POSIX, BSD) call seteuid.

From man seteuid:
       seteuid  sets  the  effective user ID of the current process.  Unprivi-
       leged user processes may only set the effective user  ID  to  the  real
       user ID, the effective user ID or the saved user ID.

Maybe I misunderstood the man pages.... :-)
Don't worry about it, was just a thought.

Merry Christmas and Ciao,

Tito



More information about the busybox mailing list