I was going through an article today when it mentioned the following:
"We've found many errors over the years. One of the absolute best was the following in the X Window System:
if(getuid() != 0 && geteuid == 0) { ErrorF("Only root"); exit(1); }
It allowed any local user to get root access. (The tautological check geteuid == 0 was intended to be geteuid() == 0. In its current form, it compress the address of geteuid to 0; given that the function exists, its address is never 0)."
The article explained what was wrong with the code but I would like to know what it means to say that "It allowed any local user to get root access". I am not an expert in C but can someone give me an exact context in which this exploit would work? Specifically, what I mean is, lets say I am the local user, how would I get root access if we assume this code to be present somewhere?
For anyone interested in reading the full article, here's the link:
A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in Real World