From owner-freebsd-security@FreeBSD.ORG  Sun Apr 14 00:33:44 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 23CC9BF9
 for <freebsd-security@freebsd.org>; Sun, 14 Apr 2013 00:33:44 +0000 (UTC)
 (envelope-from erdgeist@erdgeist.org)
Received: from elektropost.org (elektropost.org [217.13.206.130])
 by mx1.freebsd.org (Postfix) with ESMTP id 784A6192A
 for <freebsd-security@freebsd.org>; Sun, 14 Apr 2013 00:33:43 +0000 (UTC)
Received: (qmail 62421 invoked from network); 14 Apr 2013 00:33:35 -0000
Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org)
 by elektropost.org with CAMELLIA256-SHA encrypted SMTP;
 14 Apr 2013 00:33:35 -0000
Message-ID: <5169F961.7030407@erdgeist.org>
Date: Sun, 14 Apr 2013 02:33:37 +0200
From: Dirk Engling <erdgeist@erdgeist.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: =?ISO-8859-1?Q?P=E9tur_Ingi_Egilsson?= <petur@petur.eu>
Subject: Re: File descriptors
References: <B4285FA7-E3EF-4639-BFC0-9BEA7881A5CB@petur.eu>
In-Reply-To: <B4285FA7-E3EF-4639-BFC0-9BEA7881A5CB@petur.eu>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Apr 2013 00:33:44 -0000

On 13.04.13 20:29, Pétur Ingi Egilsson wrote:

> I noticed that if I execute the following code, then the program is
> able to read the file even if the files' permissions are changed around
> the /mark/ section in such a way that the UID under which the program is
> running should not have any permission to read the file.
> 
> This is not a desirable behaviour.
> How can I prevent this behaviour on my system?

Pétur,

you may have a wrong understanding of what the difference between a file
and its names is. The moment you open a file, the system call checks the
permissions and if you are allowed to read the file, returns another
name for your file, the fd.

If you change permissions on the file name in the file system, your file
descriptor is not affected. The overhead for chasing changes in your
directory structure (and nothing else is changing permissions) on every
read() system call would just not be bearable.

You can even delete the file from the file system and still reference
the content by your descriptor. Only when the last name of your file is
gone (i.e. you fclose your descriptor) the file is actually removed from
the file system

>    fd = fopen(argv[2], "r");

I am pretty sure, this should rather read argv[1]

  erdgeist