Subject: Re: possible problem in getgrouplist (#groups > NGROUPS_MAX)
From: David Laight <email@example.com>
Date: 05/01/2002 19:48:49
On Wed, May 01, 2002 at 09:28:09AM -0700, Bill Studenmund wrote:
> On Wed, 1 May 2002, David Laight wrote:
> > On Tue, Apr 30, 2002 at 02:53:04PM -0700, Bill Studenmund wrote:
> > > On Tue, 30 Apr 2002, Tim Bandy wrote:
> > >
> > > Not sure, but it actually doesn't sound like that bad a behavior. As
> > > counter-intuitive as that may sound, what else should we do if someone is
> > > in more than NGROUPS_MAX groups? Just pick a random 16 of them? By
> > > returning -1, we indicate that there's a (big) problem.
> > >
> > > We probably should document this behavior though.
> > Would it be sensible to set the first NGROUOS_MAX and report -1.
> > Otherwise there could be a security problem
> > (as opposed to a DoS problem)
> How is it a security problem?
If the group list is left unchanged, and the program that is setting
the groups doesn't check the result.......
I hacked a system (one I could have got access to) a few years ago
by using the fact that a particular daemon 'forgot' to set the
group list (it had been written for SVR2 or SVR3 which didn't
have the feature). The system I hacked was the one where the
programs source was kept - so I could tell the relevant group
precisely where to fix there code :-)
(Never did find out why root is in so many groups....)
David Laight: firstname.lastname@example.org