On Wed, 15 May 2002, Jeremy C. Reed wrote:
> I read that on a NetBSD system, Exim 4.04 caused:
>
> set{u,g}id pid 17149 (exim-4.04-1) was invoked by uid 104 ppid 209
> (exim-4.04-1) with fd 0,1,2 closed
That's probably true. So what? Exim is coded like that. The daemon
closes down all unwanted fds. If it then forks and re-execs to do a
delivery, they won't exist.
> ... Some programs are set-user-id or set-group-id, and therefore run with
> increased privileges. If such a program is started with some of the
> stdio file descriptors closed, the program may open a file and
> inadvertently associate it with standard input, standard output, or
> standard error. The program may then read data from or write data to the
> file inappropriately.
What the heck does that mean? If a program opens a file and reads/writes
it, what does it matter what the value of the file decscriptor is? Maybe
there are programs whose stupidity I'm too stupid to conceive of... :-)
> If the file is one that the user would normally
> not have privileges to open, this may result in an opportunity for
> privilege escalation.
I do not understand.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
