port-pmax: Another take on setregid/setreguid

Subject: Another take on setregid/setreguid
To: None <deraadt@sfa.ca>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: port-pmax
Date: 08/23/1994 16:42:30
I tried the following code fragment, from the latest kern_prot.c that
Theo e-mailed me. It returns EPERM when called by what, on Ultrix, is
a process with superuser privileges. (That's what I meant to moan
about last night, but I flubbed it completely.)


	
struct setregid_args {
	int	rgid;
	int	egid;
};
/* ARGSUSED */
osetregid(p, uap, retval)
	register struct proc *p;
	struct setregid_args *uap;
	int *retval;
{
	struct setegid_args segidargs;
	struct setgid_args sgidargs;
	register struct pcred *pc = p->p_cred;
	register int error, is_suser;

	error = 0;
	is_suser = suser(pc->pc_ucred, &p->p_acflag) == 0;
	/*
	 * There are four cases, described above in osetreuid()
	 */
	if (uap->rgid == (gid_t)-1) {
		if (uap->egid == (gid_t)-1) {
			error = 0;			/* -1, -1 */
			goto done;
		}
		segidargs.egid = uap->rgid;		/* -1,  N */
		error = setegid(p, &segidargs, retval);
		goto done;
	}
	if (uap->egid == (gid_t)-1) {
		segidargs.egid = uap->rgid;		/* N, -1 */
		error = setegid(p, &segidargs, retval);
		goto done;
	}
	sgidargs.gid = uap->rgid;			/* N, N and N, M */
	error = setgid(p, &sgidargs, retval);
done:
	printf("setregid(%d, %d): uid (r,s,e) %d %d %d gid %d,%d,%d, suser %d err %d\n",
		uap->rgid, uap->egid,
		pc->p_ruid, pc->p_svuid, pc->pc_ucred->cr_uid,
		pc->p_rgid, pc->p_svgid, pc->pc_ucred->cr_groups[0],
		is_suser, error);
	return (error);
}
If I try to rsh to a machine, Reno, running the above code
and Ultrix rshd, I get

	tcsh> rsh reno pwd
	setregid(-1, 40): uid (r,s,e) 0 0 0 gid 0,0,-1, suser 1 err 0
	setregid(-1,0): uid (r,s,e) 0 0 -1 gid 0,0,40 suser 0 err 1
	Permission denied


on the console.

If I try an rlogin, I see

	tcsh% rlogin reno
	setregid(-1,40: uid (r,s,e) 0 0 0 gid 0,0,-1, suser 1 err 0
	setregid(-1,0): uid (r,s,e) 0 0 -1 gid 0,0,40 suser 0 err 1

	Password: <deleted>
	setregid(40,40): uid (r,s,e) 0 0 -1 gid 0,0,40, suser 0 err 1
	Unable to set gid to 40

and the Ultrix /bin/login (I assume) exits after printing the "Unable
to set gid" message.

I don't understand what's going on here. I don't understand how or
where the effective uid is getting set to -1, which (as far as I can
tell) is the problem. Could it be Ultrix /bin/login and rshd expecting
some different saved-uid semantics, perhaps?

------------------------------------------------------------------------------