From owner-freebsd-security@FreeBSD.ORG Sun Apr 14 00:33:44 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 23CC9BF9 for ; Sun, 14 Apr 2013 00:33:44 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.13.206.130]) by mx1.freebsd.org (Postfix) with ESMTP id 784A6192A for ; Sun, 14 Apr 2013 00:33:43 +0000 (UTC) Received: (qmail 62421 invoked from network); 14 Apr 2013 00:33:35 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with CAMELLIA256-SHA encrypted SMTP; 14 Apr 2013 00:33:35 -0000 Message-ID: <5169F961.7030407@erdgeist.org> Date: Sun, 14 Apr 2013 02:33:37 +0200 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: =?ISO-8859-1?Q?P=E9tur_Ingi_Egilsson?= Subject: Re: File descriptors References: In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 00:33:44 -0000 On 13.04.13 20:29, Pétur Ingi Egilsson wrote: > I noticed that if I execute the following code, then the program is > able to read the file even if the files' permissions are changed around > the /mark/ section in such a way that the UID under which the program is > running should not have any permission to read the file. > > This is not a desirable behaviour. > How can I prevent this behaviour on my system? Pétur, you may have a wrong understanding of what the difference between a file and its names is. The moment you open a file, the system call checks the permissions and if you are allowed to read the file, returns another name for your file, the fd. If you change permissions on the file name in the file system, your file descriptor is not affected. The overhead for chasing changes in your directory structure (and nothing else is changing permissions) on every read() system call would just not be bearable. You can even delete the file from the file system and still reference the content by your descriptor. Only when the last name of your file is gone (i.e. you fclose your descriptor) the file is actually removed from the file system > fd = fopen(argv[2], "r"); I am pretty sure, this should rather read argv[1] erdgeist From owner-freebsd-security@FreeBSD.ORG Sun Apr 14 00:52:10 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D2F4B74 for ; Sun, 14 Apr 2013 00:52:10 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 98C471AC8 for ; Sun, 14 Apr 2013 00:52:10 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 0D813855B; Sun, 14 Apr 2013 00:52:08 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 2DDC89E91; Sun, 14 Apr 2013 02:52:08 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Dirk Engling Subject: Re: File descriptors References: <5169F961.7030407@erdgeist.org> Date: Sun, 14 Apr 2013 02:52:07 +0200 In-Reply-To: <5169F961.7030407@erdgeist.org> (Dirk Engling's message of "Sun, 14 Apr 2013 02:33:37 +0200") Message-ID: <86obdigci0.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, =?utf-8?Q?P=C3=A9tur?= Ingi Egilsson X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 00:52:10 -0000 Dirk Engling writes: > you may have a wrong understanding of what the difference between a file > and its names is. The moment you open a file, the system call checks the > permissions and if you are allowed to read the file, returns another > name for your file, the fd. Descriptors aren't names. Names are just labels; descriptors are live objects which tie processes to vnode or sockets. > If you change permissions on the file name in the file system, your file > descriptor is not affected. The overhead for chasing changes in your > directory structure (and nothing else is changing permissions) on every > read() system call would just not be bearable. It would be quite trivial, actually, but not desirable. The way it works now allows privileged processes to pass descriptors to restricted files to unprivileged processes, or to drop privileges before operating on them. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Apr 14 08:48:36 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C8D1E399 for ; Sun, 14 Apr 2013 08:48:36 +0000 (UTC) (envelope-from petur@petur.eu) Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) by mx1.freebsd.org (Postfix) with ESMTP id 528307AA for ; Sun, 14 Apr 2013 08:48:35 +0000 (UTC) Received: by mail-lb0-f175.google.com with SMTP id o10so3754549lbi.34 for ; Sun, 14 Apr 2013 01:48:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=mjskVTwUyFIcjJNHwB1MYO3kzqNeXrNudYM3Qedq5bI=; b=g28myneEuftd5swT6qGGsDvnvK3XdOW0lWIIeZbBrqxo1UgFndkdYrQpSpAB48hpAu NTkjF8N3Iu4OyuayRRSzyP/UsiSFiZt2KrCAFVViwh9kCMMteK57D2NZEcrDMbjY5ml1 4mS7PbjwHrPdYQCufAzHI/LFx75eZUJ1MXel9G3YGwnGWZmkdUhIV49lMsCgosRYFoYy bXP6UkZToWHhJlXW553MsjmJLvd4wR3iIT/zWUjFg426UMf8M1l0XEHoGtI0LLp8VxQ6 5wQfF2DVJ9PyKOWwhIGmtxSttFVcjDqlS2+WfO+SEegxa+AceCJ8OU7Bm26pfkEW2o+B u9pw== X-Received: by 10.152.88.81 with SMTP id be17mr6323233lab.39.1365929308532; Sun, 14 Apr 2013 01:48:28 -0700 (PDT) Received: from [10.0.0.3] ([130.225.243.68]) by mx.google.com with ESMTPS id jh4sm6052779lab.7.2013.04.14.01.48.26 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 14 Apr 2013 01:48:26 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: File descriptors From: =?iso-8859-1?Q?P=E9tur_Ingi_Egilsson?= In-Reply-To: <5169F961.7030407@erdgeist.org> Date: Sun, 14 Apr 2013 10:48:28 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <000A44DA-4A24-48C8-A4B2-EE9473A03C38@petur.eu> References: <5169F961.7030407@erdgeist.org> To: Dirk Engling X-Mailer: Apple Mail (2.1503) X-Gm-Message-State: ALoCoQm/3AUiy/ypTeQwsHP2DgAc763aDjPVrdDB0v40doAC+VMVUMcgVjF5b/RlXxlWaVhuBLos X-Mailman-Approved-At: Sun, 14 Apr 2013 11:33:58 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 08:48:36 -0000 The general understanding by users, be it right or wrong, is that = whenever a files' permission is changed, then the effect is immediate = everywhere in the system. This wrong metal model _could_ result in malicious access to a file. I merely wanted to bring the issue to your attention. - p=E9tur On 14/04/2013, at 02:33, Dirk Engling wrote: > On 13.04.13 20:29, P=E9tur Ingi Egilsson wrote: >=20 >> I noticed that if I execute the following code, then the program is >> able to read the file even if the files' permissions are changed = around >> the /mark/ section in such a way that the UID under which the program = is >> running should not have any permission to read the file. >>=20 >> This is not a desirable behaviour. >> How can I prevent this behaviour on my system? >=20 > P=E9tur, >=20 > you may have a wrong understanding of what the difference between a = file > and its names is. The moment you open a file, the system call checks = the > permissions and if you are allowed to read the file, returns another > name for your file, the fd. I am aware of the difference. >=20 > If you change permissions on the file name in the file system, your = file > descriptor is not affected. The overhead for chasing changes in your > directory structure (and nothing else is changing permissions) on = every > read() system call would just not be bearable. Understood. >=20 > You can even delete the file from the file system and still reference > the content by your descriptor. Only when the last name of your file = is > gone (i.e. you fclose your descriptor) the file is actually removed = from > the file system >=20 >> fd =3D fopen(argv[2], "r"); >=20 > I am pretty sure, this should rather read argv[1] Indeed. >=20 > erdgeist From owner-freebsd-security@FreeBSD.ORG Sun Apr 14 11:49:33 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D9C57EDE for ; Sun, 14 Apr 2013 11:49:33 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9D43FC14 for ; Sun, 14 Apr 2013 11:49:33 +0000 (UTC) Received: from ds4.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 71FFF8A24; Sun, 14 Apr 2013 11:49:32 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 3EB1A9073; Sun, 14 Apr 2013 13:49:32 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: =?utf-8?Q?P=C3=A9tur?= Ingi Egilsson Subject: Re: File descriptors References: <5169F961.7030407@erdgeist.org> <000A44DA-4A24-48C8-A4B2-EE9473A03C38@petur.eu> Date: Sun, 14 Apr 2013 13:49:31 +0200 In-Reply-To: <000A44DA-4A24-48C8-A4B2-EE9473A03C38@petur.eu> (=?utf-8?Q?=22P=C3=A9tur?= Ingi Egilsson"'s message of "Sun, 14 Apr 2013 10:48:28 +0200") Message-ID: <86sj2tcoxg.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Dirk Engling X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 11:49:33 -0000 P=C3=A9tur Ingi Egilsson writes: > The general understanding by users, I think you mean *your* understanding, unless you have actually conducted a poll of a representative sample of *nix users. > be it right or wrong, is that whenever a files' permission is changed, > then the effect is immediate everywhere in the system. This has never been the case. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Sun Apr 14 12:19:06 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2CF4163C for ; Sun, 14 Apr 2013 12:19:06 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from mail-lb0-f177.google.com (mail-lb0-f177.google.com [209.85.217.177]) by mx1.freebsd.org (Postfix) with ESMTP id AD832D93 for ; Sun, 14 Apr 2013 12:19:05 +0000 (UTC) Received: by mail-lb0-f177.google.com with SMTP id r10so3810066lbi.36 for ; Sun, 14 Apr 2013 05:19:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=rw8J/uSOBU3RpJhs/M5+PH13jBVvmps8chURR6fMU8o=; b=nT65GM64bo5V7/dJSu+JKGnULlabsPnXB40ENTpJYTgn7KHwjZXsSQSHNEESTPCPVa EXbPrimmdhr5bQ6qnZ4leIlqicAMJAOGs2meKiUiXZOM/A2Ykez0YyMhztdkkycqwa1X Dk72P+zOHlw8Bf7PJG/NtBwtjE0WF995rxS7U6rjHhZ9YFpNN0fzW1TbIIpItlszSJPv vU+a9RUz0oPmfaUBOsa3FEutX6RI7QT7CPEBwiIsZfHHIpS8chJ3bZpHo/uuiJMUf4NP 3sp3qrPgBQt6jD1HBxYZuG/f5xzSfg1aaExsQRqB8rINp/MjunFHzSZkB2TYkRJVULNK 8W6Q== MIME-Version: 1.0 X-Received: by 10.152.6.229 with SMTP id e5mr8654421laa.6.1365941944207; Sun, 14 Apr 2013 05:19:04 -0700 (PDT) Received: by 10.112.198.201 with HTTP; Sun, 14 Apr 2013 05:19:04 -0700 (PDT) In-Reply-To: <000A44DA-4A24-48C8-A4B2-EE9473A03C38@petur.eu> References: <5169F961.7030407@erdgeist.org> <000A44DA-4A24-48C8-A4B2-EE9473A03C38@petur.eu> Date: Sun, 14 Apr 2013 13:19:04 +0100 Message-ID: Subject: Re: File descriptors From: Tom Evans To: =?UTF-8?Q?P=C3=A9tur_Ingi_Egilsson?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2013 12:19:06 -0000 On Sun, Apr 14, 2013 at 9:48 AM, P=C3=A9tur Ingi Egilsson = wrote: > The general understanding by users, be it right or wrong, is that wheneve= r a files' permission is changed, then the effect is immediate everywhere i= n the system. > This wrong metal model _could_ result in malicious access to a file. > > I merely wanted to bring the issue to your attention. > > - p=C3=A9tur > As des said earlier, this model is essential for doing things in a secure manner. An analogy would be sockets, if you drop privileges after binding to a privileged socket, should you lose access to the socket? Of course not. The only thing that is relevant is whether you had permission to open the file/bind the socket at the point you did it. After that, the fd/socket is all yours, regardless. Cheers Tom