Re: chfn problem with Linux

Olaf Kirch (
Tue, 8 Aug 1995 20:56:32 +0200 (MET DST)

[Quoting from a message forwarded to linux-security by Nick Kralevich] (Frank T Lofaro) wrote on alt.hackers:

> A poster mentioned here the chfn could be used to hose a linux box.
> He didn't say, but it looked like one could hose the system by
> killing/suspending chfn right after opening /etc/passwd in truncate
> mode. I ran a trace on chfn.

This problem affects kill in general. The kernel allows a process
to send a signal to another process as long as the _sending_ process's
euid matches the signalled process's effective or real uid (cf.
kill_prog in kernel/exit.c).

I believe this should be the other way round. Quoting from the HP
kill(2) manpage: ``The real or effective uid of the sending process
must match the real or saved uid of the receiving process, unless the
effective uid of the sending process is super-user.'' However, a comment
in Lewine's POSIX book says that killing another process is also allowed
when its ruid matches...


Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play  |    / | \   sol.dhoop.naytheet.ah
             For my PGP public key, finger