Home/ Questions/Q 750017
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T14:30:07+00:00

I was going through an article today when it mentioned the following: We’ve found

  • 0

I was going through an article today when it mentioned the following:

“We’ve found many errors over the
years. One of the absolute best was
the following in the X Window System:

     if(getuid() != 0 && geteuid == 0) {
       ErrorF("Only root");
       exit(1);
     }

It allowed any local user to get root
access. (The tautological check
geteuid == 0 was intended to be
geteuid() == 0. In its current form,
it compress the address of geteuid to
0; given that the function exists, its
address is never 0).”

The article explained what was wrong with the code but I would like to know what it means to say that “It allowed any local user to get root access”. I am not an expert in C but can someone give me an exact context in which this exploit would work? Specifically, what I mean is, lets say I am the local user, how would I get root access if we assume this code to be present somewhere?

For anyone interested in reading the full article, here’s the link:

A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in Real World

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The article means that the code after the if, which was intended to be executed only if it was verified that the user was root, could actually be executed by anyone. To take advantage of it, you look for the branch in the code in which the test is used to check the identity of the user (which the article responsibly does not provide: you have to work a little) and you arrange for it to be executed.

    “allowed to get root access” is an ellipsis to describe what happens after the if in the original code. It does not make particular sense in relation with the test because it describe what happens after it.

    In other words, the test itself does not make you root. The code after it makes you root. Also, bear in mind that the X server often has to be installed with root owner and setuid bit set, which is the reason why flawed logic in its code is dangerous.

    This is not a question about C. It is a question about the Unix security model, which is awfully binary (especially in the older implementations): you have to be root to do anything, so quantities of programs have root owner and setuid bit (caricaturing a little bit).

    • 0