Subject: kern/14722: Opening too much files changes the UID!
To: None <>
From: None <>
List: netbsd-bugs
Date: 11/25/2001 11:51:32
>Number:         14722
>Category:       kern
>Synopsis:       Opening too much files changes the UID!
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 25 11:52:00 PST 2001
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD-current
The NetBSD Project
NetBSD plume 1.5Y NetBSD 1.5Y (IRIX) #13: Sun Nov 25 15:20:49 CET 2001     manu@plume:/cvs/src/sys/arch/sgimips/compile/IRIX sgimips
By opening too much files, it's possible to change the UID. See 
example below in the "How to repeat" section.

The bad news is that the user does not need to be root: If I setup a 
login class so that a non privilegied user is able to open 80000
files, I get the same result: the non privilegied user is able to change its UID. The good news is that the final UID seems to be always the same,
whatever the original UID and the mxfiles value are. So it's not easy
to use this in order to become root (but it still may be possible, I 
don't know)
#sysctl -w kern.maxfiles=80000
kern.maxfiles: 1772 -> 80000
#ulimit -n 80000
#cat > fdcount.c
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>

main (argc, argv)
        int argc;
        char **argv;
        int i, fd, count;
        fd = open("/dev/null", O_RDONLY, 0);
        for (count = 1; open("/dev/null", O_RDONLY, 0) != -1; count++);
        for (i = fd; i < count; close(i++));
        printf("I was able to open %d descriptors\n", count);

        return 0;
#cc -o fdcount fdcount.c
I was able to open 79975 descriptors

Outch! That's bad!