Subject: kern/14722: Opening too much files changes the UID!
To: None <gnats-bugs@gnats.netbsd.org>
From: None <manu@netbsd.org>
List: netbsd-bugs
Date: 11/25/2001 11:51:32
>Number:         14722
>Category:       kern
>Synopsis:       Opening too much files changes the UID!
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 25 11:52:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD-current
>Organization:
The NetBSD Project
>Environment:
NetBSD plume 1.5Y NetBSD 1.5Y (IRIX) #13: Sun Nov 25 15:20:49 CET 2001     manu@plume:/cvs/src/sys/arch/sgimips/compile/IRIX sgimips
>Description:
By opening too much files, it's possible to change the UID. See 
example below in the "How to repeat" section.

The bad news is that the user does not need to be root: If I setup a 
login class so that a non privilegied user is able to open 80000
files, I get the same result: the non privilegied user is able to change its UID. The good news is that the final UID seems to be always the same,
whatever the original UID and the mxfiles value are. So it's not easy
to use this in order to become root (but it still may be possible, I 
don't know)
>How-To-Repeat:
#whoami
root
#sysctl -w kern.maxfiles=80000
kern.maxfiles: 1772 -> 80000
#ulimit -n 80000
#cat > fdcount.c
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>

int 
main (argc, argv)
        int argc;
        char **argv;
{
        int i, fd, count;
        
        fd = open("/dev/null", O_RDONLY, 0);
        for (count = 1; open("/dev/null", O_RDONLY, 0) != -1; count++);
        for (i = fd; i < count; close(i++));
        printf("I was able to open %d descriptors\n", count);

        return 0;
}
^D
#cc -o fdcount fdcount.c
#./fdcount
I was able to open 79975 descriptors
#whoami
1097455

Outch! That's bad! 
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: