[Exim] setuid exim invoked with file descriptors 0,1,2 close…

Top Page
Delete this message
Reply to this message
Author: Jeremy C. Reed
Date:  
To: exim-users
Subject: [Exim] setuid exim invoked with file descriptors 0,1,2 closed
I read that on a NetBSD system, Exim 4.04 caused:

set{u,g}id pid 17149 (exim-4.04-1) was invoked by uid 104 ppid 209
(exim-4.04-1) with fd 0,1,2 closed

FreeBSD's recent security announcement explains:

In new processes, all file descriptors are duplicated from the parent
process. Unless these descriptors are marked close-on-exec, they retain
their state during an exec.

All POSIX systems assign file descriptors in sequential order, starting
with the lowest unused file descriptor. For example, if a newly exec'd
process has file descriptors 0 and 1 open, but file descriptor 2 closed,
and then opens a file, the new file descriptor is guaranteed to be 2
(standard error).

... Some programs are set-user-id or set-group-id, and therefore run with
increased privileges. If such a program is started with some of the
stdio file descriptors closed, the program may open a file and
inadvertently associate it with standard input, standard output, or
standard error. The program may then read data from or write data to the
file inappropriately. If the file is one that the user would normally
not have privileges to open, this may result in an opportunity for
privilege escalation.

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc>

Jeremy C. Reed
echo '9,J8HD,fDGG8B@?:536FC5=8@I;C5?@H5B0D@5GBIELD54DL>@8L?:5GDEJ8LDG1' |\
sed ss,s50EBsg | tr 0-M 'p.wBt SgiIlxmLhan:o,erDsduv/cyP'