Re: [Exim] setuid exim invoked with file descriptors 0,1,2 c…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Jeremy C. Reed
CC: exim-users
Subject: Re: [Exim] setuid exim invoked with file descriptors 0,1,2 closed
On Wed, 15 May 2002, Jeremy C. Reed wrote:

> I read that on a NetBSD system, Exim 4.04 caused:
>
> set{u,g}id pid 17149 (exim-4.04-1) was invoked by uid 104 ppid 209
> (exim-4.04-1) with fd 0,1,2 closed


That's probably true. So what? Exim is coded like that. The daemon
closes down all unwanted fds. If it then forks and re-execs to do a
delivery, they won't exist.

> ... Some programs are set-user-id or set-group-id, and therefore run with
> increased privileges. If such a program is started with some of the
> stdio file descriptors closed, the program may open a file and
> inadvertently associate it with standard input, standard output, or
> standard error. The program may then read data from or write data to the
> file inappropriately.


What the heck does that mean? If a program opens a file and reads/writes
it, what does it matter what the value of the file decscriptor is? Maybe
there are programs whose stupidity I'm too stupid to conceive of... :-)

> If the file is one that the user would normally
> not have privileges to open, this may result in an opportunity for
> privilege escalation.


I do not understand.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.