From owner-freebsd-bugs Tue Aug 27 22:40:08 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA01751 for bugs-outgoing; Tue, 27 Aug 1996 22:40:08 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA01731; Tue, 27 Aug 1996 22:40:06 -0700 (PDT) Resent-Date: Tue, 27 Aug 1996 22:40:06 -0700 (PDT) Resent-Message-Id: <199608280540.WAA01731@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, darrylo@sr.hp.com Received: from relay.hp.com (relay.hp.com [15.255.152.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA01186 for ; Tue, 27 Aug 1996 22:38:23 -0700 (PDT) Received: from srmail.sr.hp.com by relay.hp.com with ESMTP (1.37.109.16/15.5+ECS 3.3) id AA099140700; Tue, 27 Aug 1996 22:38:21 -0700 Received: from hpnmhjw.sr.hp.com by srmail.sr.hp.com with ESMTP (1.37.109.16/15.5+ECS 3.3) id AA143450699; Tue, 27 Aug 1996 22:38:20 -0700 Received: from mina.sr.hp.com by hpnmhjw.sr.hp.com with SMTP (1.37.109.16/15.5+ECS 3.3) id AA065290699; Tue, 27 Aug 1996 22:38:19 -0700 Message-Id: <199608280538.AA065290699@hpnmhjw.sr.hp.com> Date: Tue, 27 Aug 1996 22:38:19 -0700 From: Darryl Okahata Reply-To: darrylo@sr.hp.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1548: ncrcontrol -i queries don't work for mere users Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1548 >Category: bin >Synopsis: ncrcontrol -i queries don't work for mere users >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Aug 27 22:40:04 PDT 1996 >Last-Modified: >Originator: Darryl Okahata >Organization: Home >Release: FreeBSD 2.2-960801-SNAP i386 >Environment: FreeBSD 2.2-960801-SNAP with an NCR-815-based SCSI controller. >Description: Even though ncrcontrol is setgid kmem, read-only queries such as "ncrcontrol -i" do not work for mere users. You must be root or some login that has a real group id of "kmem". This occurs because of code that is supposed to prevent the bad guys from doing arbitrary reads of kernel memory. This code is supposed to be used if the running kernel is not used; however, there's a bug that *always* causes the code to be used, which prevents legal/acceptable reads of kernel memory by mere users. >How-To-Repeat: On a system with an NCR-based SCSI controller, run the following as a mere user (non-root, non-kmem-group): ncrcontrol -i >Fix: Apply the following patch. *** ncrcontrol.c.orig Tue Aug 27 22:13:37 1996 --- ncrcontrol.c Tue Aug 27 22:14:51 1996 *************** *** 181,186 **** --- 181,195 ---- if (kvm_isopen) return; + #if defined(__NetBSD__) || (__FreeBSD__ >= 2) + /* + * Discard setgid privileges if not the running kernel so that bad + * guys can't print interesting stuff from kernel memory. + */ + if (vmunix != NULL || kmemf != NULL) + setgid(getgid()); + #endif + #if (__FreeBSD__ >= 2) if (!vmunix) { vmunix = getbootfile(); *************** *** 190,203 **** vmunix = _PATH_UNIX; } #endif - #if defined(__NetBSD__) || (__FreeBSD__ >= 2) - /* - * Discard setgid privileges if not the running kernel so that bad - * guys can't print interesting stuff from kernel memory. - */ - if (vmunix != NULL || kmemf != NULL) - setgid(getgid()); kvm = kvm_openfiles(vmunix, kmemf, NULL, flags, errbuf); if (kvm == NULL) { fprintf(stderr, "%s: kvm_openfiles: %s\n", prog, errbuf); --- 199,206 ---- vmunix = _PATH_UNIX; } #endif + #if defined(__NetBSD__) || (__FreeBSD__ >= 2) kvm = kvm_openfiles(vmunix, kmemf, NULL, flags, errbuf); if (kvm == NULL) { fprintf(stderr, "%s: kvm_openfiles: %s\n", prog, errbuf); >Audit-Trail: >Unformatted: