From owner-freebsd-audit Sun Aug 12 9:17:32 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id BFA7D37B406 for ; Sun, 12 Aug 2001 09:17:28 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15VxwW-000JnR-00; Sun, 12 Aug 2001 18:18:24 +0200 From: Sheldon Hearn To: "Akinori MUSHA" Cc: audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) In-reply-to: Your message of "Sun, 12 Aug 2001 15:57:27 +0900." <86d761hijs.wl@archon.local.idaemons.org> Date: Sun, 12 Aug 2001 18:18:24 +0200 Message-ID: <76100.997633104@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 12 Aug 2001 15:57:27 +0900, "Akinori MUSHA" wrote: > If possible, I'd like to see this in the 4.4-RELEASE because that > would allow users to upgrade packages safely, which can only be done > by portupgrade(1) currently. Don't you think it's a little late to be submitting patches for new features for 4.4-RELEASE? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 9:56: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.musha.org (daemon.musha.org [61.122.44.178]) by hub.freebsd.org (Postfix) with ESMTP id 805BD37B403 for ; Sun, 12 Aug 2001 09:56:05 -0700 (PDT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id 3E0214D835; Mon, 13 Aug 2001 01:56:04 +0900 (JST) Date: Mon, 13 Aug 2001 01:56:04 +0900 Message-ID: <86u1zd1al7.wl@archon.local.idaemons.org> From: "Akinori MUSHA" To: Sheldon Hearn Cc: audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) In-Reply-To: <76100.997633104@axl.seasidesoftware.co.za> References: <86d761hijs.wl@archon.local.idaemons.org> <76100.997633104@axl.seasidesoftware.co.za> User-Agent: Wanderlust/2.7.1 (Too Funky) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-1?Q?Unebigory=F2mae?=) APEL/10.3 MULE XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd) Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At Sun, 12 Aug 2001 18:18:24 +0200, Sheldon Hearn wrote: > Don't you think it's a little late to be submitting patches for new > features for 4.4-RELEASE? Probably. Hense the conditional "If possible". I am not really going to push it so hard. Since I've already made portupgrade use (the bundled) pkg_deinstall instead of pkg_delete, it doesn't really matter for portupgrade users. -- / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "Freeze this moment a little bit longer, make each impression a little bit stronger.. Experience slips away -- Time stand still" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 10:47:13 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 2BEDB37B407 for ; Sun, 12 Aug 2001 10:47:09 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f7CI7o429228; Sun, 12 Aug 2001 14:07:50 -0400 (EDT) (envelope-from mike) Date: Sun, 12 Aug 2001 14:07:50 -0400 From: Mike Barcroft To: Akinori MUSHA Cc: audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) Message-ID: <20010812140750.B29132@coffee.q9media.com> References: <86elqphctp.wl@archon.local.idaemons.org> <86d761hijs.wl@archon.local.idaemons.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <86d761hijs.wl@archon.local.idaemons.org>; from knu@iDaemons.org on Sun, Aug 12, 2001 at 03:57:27PM +0900 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Aug 12, 2001 at 03:57:27PM +0900, Akinori MUSHA wrote: > Please review the attached patch, which adds a new option "-P" to > pkg_delete(1) which preserves shared library files. This is useful > when one suspects that s/he still have some binaries that depend on > the shared library that's being deleted. Probably pkg_version(1) may > want to use the option for the -c feature. > Index: lib/plist.c > =================================================================== > RCS file: /home/ncvs/src/usr.sbin/pkg_install/lib/plist.c,v > retrieving revision 1.34 > diff -u -r1.34 plist.c > --- lib/plist.c 2001/08/02 12:38:29 1.34 > +++ lib/plist.c 2001/08/05 17:53:29 > @@ -346,13 +346,48 @@ > } > > /* > + * Check if the given filename looks like a shared library. > + */ > +static Boolean > +is_shlib(char *filename) > +{ > + char *p, *q; > + > + /* basename */ > + if (NULL != (p = strrchr(filename, '/'))) > + p++; > + else > + p = filename; > + > + /* empty filename or dotfile? */ > + if (*p == '\0' || *p == '.') > + return FALSE; > + > + /* do "strrstr" for .so */ > + if (NULL == (q = strstr(p + 1, ".so"))) > + return FALSE; > + while (NULL != (p = strstr(q += 3, ".so"))) > + q = p; > + > + /* skip version numbers */ > + while (*q) { > + if (*q != '.' || !isdigit(*++q)) > + return FALSE; > + while (isdigit(*++q)) > + ; > + } > + > + return TRUE; > +} [...] This could probably be written better, so that you don't have to walk filename so many times. [...] > - sprintf(tmp, "%s/%s", Where, p->name); > + sprintf(tmp, "%s/%s", Where, last_file); [...] I don't see any checks to ensure that this won't overflow tmp, so you should probably use snprintf(3) instead. The rest of the patch looks reasonable, but I agree with Sheldon that this shouldn't be merged into -STABLE until after 4.4-RELEASE. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 11:42:27 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.musha.org (daemon.musha.org [61.122.44.178]) by hub.freebsd.org (Postfix) with ESMTP id 93E2337B401; Sun, 12 Aug 2001 11:42:21 -0700 (PDT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id D94104D833; Mon, 13 Aug 2001 03:42:19 +0900 (JST) Date: Mon, 13 Aug 2001 03:42:19 +0900 Message-ID: <86snex15o4.wl@archon.local.idaemons.org> From: "Akinori MUSHA" To: Mike Barcroft Cc: audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) In-Reply-To: <20010812140750.B29132@coffee.q9media.com> References: <86elqphctp.wl@archon.local.idaemons.org> <86d761hijs.wl@archon.local.idaemons.org> <20010812140750.B29132@coffee.q9media.com> User-Agent: Wanderlust/2.7.1 (Too Funky) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-1?Q?Unebigory=F2mae?=) APEL/10.3 MULE XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd) Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks for the review, At Sun, 12 Aug 2001 14:07:50 -0400, Mike Barcroft wrote: > > /* > > + * Check if the given filename looks like a shared library. > > + */ > > +static Boolean > > +is_shlib(char *filename) > > +{ > > + char *p, *q; > > + > > + /* basename */ > > + if (NULL != (p = strrchr(filename, '/'))) > > + p++; > > + else > > + p = filename; > > + > > + /* empty filename or dotfile? */ > > + if (*p == '\0' || *p == '.') > > + return FALSE; > > + > > + /* do "strrstr" for .so */ > > + if (NULL == (q = strstr(p + 1, ".so"))) > > + return FALSE; > > + while (NULL != (p = strstr(q += 3, ".so"))) > > + q = p; > > + > > + /* skip version numbers */ > > + while (*q) { > > + if (*q != '.' || !isdigit(*++q)) > > + return FALSE; > > + while (isdigit(*++q)) > > + ; > > + } > > + > > + return TRUE; > > +} > [...] > > This could probably be written better, so that you don't have to walk > filename so many times. Yes, alternatively you could write it as follows, for example: /* [^\/]\.so(\.\d+)*$ */ static Boolean is_shlib(char *filename) { char *p; p = strrchr(filename, 's'); if (p == NULL || p[1] != 'o' || p - filename < 2 || p[-1] != '.' || p[-2] == '/') return FALSE; p += 2; /* skip version numbers */ while (*p) { if (*p != '.' || !isdigit(*++p)) return FALSE; while (isdigit(*++p)) ; } return TRUE; } (But I don't like this ;) > [...] > > - sprintf(tmp, "%s/%s", Where, p->name); > > + sprintf(tmp, "%s/%s", Where, last_file); > [...] > > I don't see any checks to ensure that this won't overflow tmp, so you > should probably use snprintf(3) instead. Indeed, and that kind of code is everywhere in the pkg_install sources. They'll need overall audit. > The rest of the patch looks reasonable, but I agree with Sheldon that > this shouldn't be merged into -STABLE until after 4.4-RELEASE. I see. -- / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "Freeze this moment a little bit longer, make each impression a little bit stronger.. Experience slips away -- Time stand still" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 13:27:57 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id E2C2D37B408 for ; Sun, 12 Aug 2001 13:27:53 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f7CKmhS29533; Sun, 12 Aug 2001 16:48:43 -0400 (EDT) (envelope-from mike) Date: Sun, 12 Aug 2001 16:48:43 -0400 From: Mike Barcroft To: Akinori MUSHA Cc: audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) Message-ID: <20010812164843.A29363@coffee.q9media.com> Mail-Followup-To: Mike Barcroft , Akinori MUSHA , audit@FreeBSD.org References: <86elqphctp.wl@archon.local.idaemons.org> <86d761hijs.wl@archon.local.idaemons.org> <20010812140750.B29132@coffee.q9media.com> <86snex15o4.wl@archon.local.idaemons.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <86snex15o4.wl@archon.local.idaemons.org>; from knu@iDaemons.org on Mon, Aug 13, 2001 at 03:42:19AM +0900 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 13, 2001 at 03:42:19AM +0900, Akinori MUSHA wrote: > > This could probably be written better, so that you don't have to walk > > filename so many times. > > Yes, alternatively you could write it as follows, for example: > > /* [^\/]\.so(\.\d+)*$ */ > static Boolean > is_shlib(char *filename) > { > char *p; > > p = strrchr(filename, 's'); > > if (p == NULL || p[1] != 'o' || > p - filename < 2 || p[-1] != '.' || p[-2] == '/') > return FALSE; > > p += 2; > > /* skip version numbers */ > while (*p) { > if (*p != '.' || !isdigit(*++p)) > return FALSE; > while (isdigit(*++p)) > ; > } > > return TRUE; > } > > (But I don't like this ;) Neither do I. Mostly because you could be accessing memory before filename starts. I was thinking more along the lines of: /* * Returns TRUE if filename matches /\.so$/ or /\.so\.\d+$/, otherwise FALSE. */ static Boolean is_shlib(const char *filename) { int digit; char *p; digit = 0; p = (char *)filename + strlen(filename); while (--p > filename && isdigit(*p)) digit = 1; if (p - 1 <= filename) return FALSE; if (digit && *p == '.') p--; if (p - 2 > filename && strncmp(p - 2, ".so", 3) == 0) return TRUE; else return FALSE; } Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 14:12:23 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.musha.org (daemon.musha.org [61.122.44.178]) by hub.freebsd.org (Postfix) with ESMTP id 5DB5037B405; Sun, 12 Aug 2001 14:12:17 -0700 (PDT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id A8BD94D833; Mon, 13 Aug 2001 06:12:15 +0900 (JST) Date: Mon, 13 Aug 2001 06:12:15 +0900 Message-ID: <86ofpl0yq8.wl@archon.local.idaemons.org> From: "Akinori MUSHA" To: Mike Barcroft , audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) In-Reply-To: <20010812164843.A29363@coffee.q9media.com> References: <86elqphctp.wl@archon.local.idaemons.org> <86d761hijs.wl@archon.local.idaemons.org> <20010812140750.B29132@coffee.q9media.com> <86snex15o4.wl@archon.local.idaemons.org> <20010812164843.A29363@coffee.q9media.com> User-Agent: Wanderlust/2.7.1 (Too Funky) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-1?Q?Unebigory=F2mae?=) APEL/10.3 MULE XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd) Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At Sun, 12 Aug 2001 16:48:43 -0400, Mike Barcroft wrote: > > On Mon, Aug 13, 2001 at 03:42:19AM +0900, Akinori MUSHA wrote: > > > This could probably be written better, so that you don't have to walk > > > filename so many times. > > > > Yes, alternatively you could write it as follows, for example: > > > > /* [^\/]\.so(\.\d+)*$ */ > > static Boolean > > is_shlib(char *filename) > > { > > char *p; > > > > p = strrchr(filename, 's'); > > > > if (p == NULL || p[1] != 'o' || > > p - filename < 2 || p[-1] != '.' || p[-2] == '/') > > return FALSE; > > > > p += 2; > > > > /* skip version numbers */ > > while (*p) { > > if (*p != '.' || !isdigit(*++p)) > > return FALSE; > > while (isdigit(*++p)) > > ; > > } > > > > return TRUE; > > } > > > > (But I don't like this ;) > > Neither do I. Mostly because you could be accessing memory before > filename starts. No, no. If (p - filename < 2) is false, the rest is not evaluated. It would be more than just "don't like" if the code had such a terrible flaw. ;) The reason why I don't like it is because it goes to extremes for performance, to result in less readable, inflexible code. > I was thinking more along the lines of: > > /* > * Returns TRUE if filename matches /\.so$/ or /\.so\.\d+$/, otherwise FALSE. > */ > static Boolean > is_shlib(const char *filename) > { > int digit; > char *p; > > digit = 0; > p = (char *)filename + strlen(filename); > while (--p > filename && isdigit(*p)) > digit = 1; > if (p - 1 <= filename) > return FALSE; > if (digit && *p == '.') > p--; > if (p - 2 > filename && strncmp(p - 2, ".so", 3) == 0) > return TRUE; > else > return FALSE; > } I found some problems with it: - Note that the . part may repeat, not to mention Linux shared libraries. - is_shlib("foo/.so") will return TRUE, which can't be a shared library but aa dotfile. - is_shlib("foo.so4") will return TRUE, which probably isn't a shared library. I'll try more later. Thanks for sharing the work with me. :) -- / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "Freeze this moment a little bit longer, make each impression a little bit stronger.. Experience slips away -- Time stand still" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 16:10:41 2001 Delivered-To: freebsd-audit@freebsd.org Received: from green.bikeshed.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2A08C37B409; Sun, 12 Aug 2001 16:10:33 -0700 (PDT) (envelope-from green@green.bikeshed.org) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.4/8.11.1) with ESMTP id f7CNAUZ01898; Sun, 12 Aug 2001 19:10:31 -0400 (EDT) (envelope-from green@green.bikeshed.org) Message-Id: <200108122310.f7CNAUZ01898@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Akinori MUSHA" Cc: Mike Barcroft , audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) In-Reply-To: Your message of "Mon, 13 Aug 2001 06:12:15 +0900." <86ofpl0yq8.wl@archon.local.idaemons.org> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 12 Aug 2001 19:10:29 -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG static Boolean is_shlib(const char *filename) { regex_t reg; Boolean ret; if (regcomp(®, "[^/]\\.so(\\.[[:digit:]]+)*$", REG_EXTENDED) != 0) return (FALSE); ret = regexec(®, filename, 0, NULL, 0) == 0; regfree(®); return (ret); } -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Aug 12 17:18:22 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id AF81F37B405; Sun, 12 Aug 2001 17:18:19 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f7D0dE229839; Sun, 12 Aug 2001 20:39:14 -0400 (EDT) (envelope-from mike) Date: Sun, 12 Aug 2001 20:39:14 -0400 From: Mike Barcroft To: Akinori MUSHA Cc: green@FreeBSD.org, audit@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) Message-ID: <20010812203914.C29363@coffee.q9media.com> Mail-Followup-To: Mike Barcroft , Akinori MUSHA , green@FreeBSD.org, audit@FreeBSD.org References: <86elqphctp.wl@archon.local.idaemons.org> <86d761hijs.wl@archon.local.idaemons.org> <20010812140750.B29132@coffee.q9media.com> <86snex15o4.wl@archon.local.idaemons.org> <20010812164843.A29363@coffee.q9media.com> <86ofpl0yq8.wl@archon.local.idaemons.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <86ofpl0yq8.wl@archon.local.idaemons.org>; from knu@iDaemons.org on Mon, Aug 13, 2001 at 06:12:15AM +0900 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 13, 2001 at 06:12:15AM +0900, Akinori MUSHA wrote: > > Neither do I. Mostly because you could be accessing memory before > > filename starts. > > No, no. If (p - filename < 2) is false, the rest is not evaluated. > It would be more than just "don't like" if the code had such a > terrible flaw. ;) > > The reason why I don't like it is because it goes to extremes for > performance, to result in less readable, inflexible code. I'm quite sure it has problems, it was just an example of how it could be achieved with traversing filename a half-dozen times. But ofcourse Brian is correct, we should just use regex instead of trying to reinvent the wheel. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Aug 13 17:41:14 2001 Delivered-To: freebsd-audit@freebsd.org Received: from meow.lab.nuxi.com (meow.lab.nuxi.com [66.123.5.2]) by hub.freebsd.org (Postfix) with ESMTP id 5CF8E37B405; Mon, 13 Aug 2001 17:41:11 -0700 (PDT) (envelope-from sethk@meow.lab.nuxi.com) Received: (from sethk@localhost) by meow.lab.nuxi.com (8.11.4/8.11.2) id f7E0e1235221; Mon, 13 Aug 2001 17:40:01 -0700 (PDT) (envelope-from sethk) Date: Mon, 13 Aug 2001 17:40:01 -0700 From: Seth Kingsley To: Kris Kennaway , obrien@freebsd.org Cc: audit@freebsd.org Subject: Re: WFORMAT=1 errors Message-ID: <20010813174001.B33585@meow.lab.nuxi.com> References: <20010810182125.A47936@xor.obsecurity.org> <20010810194150.A71696@meow.lab.nuxi.com> <20010810202002.A49763@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cvVnyQ+4j833TQvp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010810202002.A49763@xor.obsecurity.org>; from kris@obsecurity.org on Fri, Aug 10, 2001 at 08:20:02PM -0700 Organization: Wind River Systems X-Operating-System: FreeBSD 4.3-STABLE i386 X-GPG-Key-ID: 1024D/5C413B08 X-GPG-Key-Fingerprint: F772 5D24 02B4 D233 90F5 080F 0F50 3298 5C41 3B08 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 10, 2001 at 08:20:02PM -0700, Kris Kennaway wrote: > On Fri, Aug 10, 2001 at 07:41:50PM -0700, Seth Kingsley wrote: > > On Fri, Aug 10, 2001 at 06:21:26PM -0700, Kris Kennaway wrote: > > > In the meantime, does anyone feel like fixing some of > > > the following from usr.bin/ > >=20 > > I'll take usr.bin/make, I've been working on some other modernizations > > of it recently. >=20 > Excellent, thanks! I'm running into a problem here with format strings that are being used safely as pointers to string constants, but eliciting warnings because they are not literal string constants. The following test program should _not_ cause warnings because of a non-constant format. Unless I am misunderstanding the purpose of this kind of format parameter auditing, passing a pointer to string const should be perfectly acceptable. And as it is used in usr.bin/make, there is obviously no security issue with this. #include int main(void) { const char *fmt =3D "%s\n"; printf(fmt, "Hello World"); return 0; } I tried to modify /usr/src/contrib/gcc.295/c-common.c:check_format_info to test the qualifiers of the string passed instead of merely testing against it being a string constant. I could not discern how to trace the parse tree for the format parameter back to the qualifiers used in it's decleration. This is something that somebody else would be able to figure out much more readily. If David is not willing to look at this right now, then maybe I can appeal to the NetBSD people, where this type of warning option came from? --=20 || Seth Kingsley || Platforms Lab Opps || seth.kingsley@windriver.com || --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7eHNhD1AymFxBOwgRAubDAJwIBZNe23B8AYF1U5M5/jp5KC0JkwCfbvj1 Dh0+XUfInmFuKUIvzF8FH1A= =tAbw -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 1:52: 7 2001 Delivered-To: freebsd-audit@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 729) id 2D2AC37B408; Tue, 14 Aug 2001 01:52:03 -0700 (PDT) X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0 To: freebsd-gnats-submit@FreeBSD.ORG Cc: freebsd-audit@FreeBSD.ORG Subject: Re: bin/29625: limits -d etc. should not output warning Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="==_Exmh_9717437520" Message-Id: <20010814085203.2D2AC37B408@hub.freebsd.org> Date: Tue, 14 Aug 2001 01:52:03 -0700 (PDT) From: jkoshy@FreeBSD.ORG (Joseph Koshy) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multipart MIME message. --==_Exmh_9717437520 Content-Type: text/plain The problem turns out to be in our implementation of `getopt(3)' and not in /usr/bin/limits. If 'optstring' passed to getopt() starts with a leading ':', then getopt() should not print a warning for missing arguments. The attached patch fixes this. Could someone on -audit please review? Regards, Koshy --==_Exmh_9717437520 Content-Type: text/plain ; name="getopt-patch" Content-Description: getopt-patch Content-Disposition: attachment; filename="getopt-patch" Index: getopt.c =================================================================== RCS file: /home/ncvs/src/lib/libc/stdlib/getopt.c,v retrieving revision 1.3 diff -u -r1.3 getopt.c --- getopt.c 2000/09/04 03:49:22 1.3 +++ getopt.c 2001/08/14 08:25:54 @@ -65,7 +65,6 @@ extern char *__progname; static char *place = EMSG; /* option letter processing */ char *oli; /* option letter list index */ - int ret; if (optreset || !*place) { /* update scanning pointer */ optreset = 0; @@ -105,14 +104,12 @@ else if (nargc <= ++optind) { /* no arg */ place = EMSG; if (*ostr == ':') - ret = BADARG; - else - ret = BADCH; + return (BADARG); if (opterr) (void)fprintf(stderr, "%s: option requires an argument -- %c\n", __progname, optopt); - return (ret); + return (BADCH); } else /* white space */ optarg = nargv[optind]; --==_Exmh_9717437520-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 2:40:32 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-252.dsl.lsan03.pacbell.net [64.169.104.252]) by hub.freebsd.org (Postfix) with ESMTP id CAE1C37B407; Tue, 14 Aug 2001 02:40:27 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 26D8A66F68; Tue, 14 Aug 2001 02:40:27 -0700 (PDT) Date: Tue, 14 Aug 2001 02:40:27 -0700 From: Kris Kennaway To: Seth Kingsley Cc: Kris Kennaway , obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814024026.A36283@xor.obsecurity.org> References: <20010810182125.A47936@xor.obsecurity.org> <20010810194150.A71696@meow.lab.nuxi.com> <20010810202002.A49763@xor.obsecurity.org> <20010813174001.B33585@meow.lab.nuxi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010813174001.B33585@meow.lab.nuxi.com>; from seth.kingsley@windriver.com on Mon, Aug 13, 2001 at 05:40:01PM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 13, 2001 at 05:40:01PM -0700, Seth Kingsley wrote: > I'm running into a problem here with format strings that are being used > safely as pointers to string constants, but eliciting warnings because > they are not literal string constants. The following test program should > _not_ cause warnings because of a non-constant format. Unless I am > misunderstanding the purpose of this kind of format parameter auditing, > passing a pointer to string const should be perfectly acceptable. And as > it is used in usr.bin/make, there is obviously no security issue with > this. >=20 > #include >=20 > int > main(void) > { > const char *fmt =3D "%s\n"; >=20 > printf(fmt, "Hello World"); > return 0; > } Make it a const char fmt[]. gcc doesn't complain if you repoint fmt to something else if it's a const char * -- that something else can be variable input and therefore potentially insecure: #include int main(int argc, char **argv) { const char *fmt=3D"%s\n"; if (argc > 1) fmt =3D argv[1]; printf(fmt, "bar"); exit(0); } > cc -o /tmp/foo -Wnon-const-format ${BDECFLAGS} /tmp/foo.c /tmp/foo.c: In function `main': /tmp/foo.c:9: warning: non-constant format parameter #include int main(int argc, char **argv) { const char fmt[]=3D"%s\n"; if (argc > 1) fmt =3D argv[1]; printf(fmt, "bar"); exit(0); } > cc -o /tmp/foo -Wnon-const-format ${BDECFLAGS} /tmp/foo.c /tmp/foo.c: In function `main': /tmp/foo.c:7: warning: assignment of read-only variable `fmt' /tmp/foo.c:7: incompatible types in assignment (Note: no variable format string warning, and we get extra warnings if we try and repoint it anyway). Kris --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ePIKWry0BWjoQKURAh1QAKDRR64gsFrNTJHaSRuUCjOX9Has2wCfS+Ea C+DR2jqz6hYsI2gFhD9LIOg= =4zeC -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 14: 7:40 2001 Delivered-To: freebsd-audit@freebsd.org Received: from meow.lab.nuxi.com (meow.lab.nuxi.com [66.123.5.2]) by hub.freebsd.org (Postfix) with ESMTP id E667337B401; Tue, 14 Aug 2001 14:07:33 -0700 (PDT) (envelope-from sethk@meow.lab.nuxi.com) Received: (from sethk@localhost) by meow.lab.nuxi.com (8.11.4/8.11.2) id f7EL6xV17547; Tue, 14 Aug 2001 14:06:59 -0700 (PDT) (envelope-from sethk) Date: Tue, 14 Aug 2001 14:06:59 -0700 From: Seth Kingsley To: Kris Kennaway Cc: obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814140659.C12506@meow.lab.nuxi.com> References: <20010810182125.A47936@xor.obsecurity.org> <20010810194150.A71696@meow.lab.nuxi.com> <20010810202002.A49763@xor.obsecurity.org> <20010813174001.B33585@meow.lab.nuxi.com> <20010814024026.A36283@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="1ccMZA6j1vT5UqiK" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010814024026.A36283@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Aug 14, 2001 at 02:40:27AM -0700 Organization: Wind River Systems X-Operating-System: FreeBSD 4.3-STABLE i386 X-GPG-Key-ID: 1024D/5C413B08 X-GPG-Key-Fingerprint: F772 5D24 02B4 D233 90F5 080F 0F50 3298 5C41 3B08 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --1ccMZA6j1vT5UqiK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 14, 2001 at 02:40:27AM -0700, Kris Kennaway wrote: > Make it a const char fmt[]. gcc doesn't complain if you repoint fmt > to something else if it's a const char * -- that something else can be > variable input and therefore potentially insecure: Ahh, right you are, the const qualifier can be granted later through a function call. > [...] >=20 > (Note: no variable format string warning, and we get extra warnings if > we try and repoint it anyway). My problem with this is that the strings can not always be declared as character arrays. In the usr.bin/make case in fact, the format strings are kept in a structure that defines how different command syntaxes for different shells get passed as arguments to them. struct shell_desc { const char *echo_fmt; }; static struct shell_desc sh_desc =3D {"echo \"%s\""}; sprintf(cmd, sh_desc, echo_str); Is there any way around this? --=20 || Seth Kingsley || Platforms Lab Opps || seth.kingsley@windriver.com || --1ccMZA6j1vT5UqiK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7eZLzD1AymFxBOwgRAk5QAJ9InaAacQ+ZAKVcNhsdEPqoYR+wdwCePB4A ZOTsimOWRXTnyrKhPpUNcVg= =OiB9 -----END PGP SIGNATURE----- --1ccMZA6j1vT5UqiK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 14:36: 3 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ns.plaut.de (ns.plaut.de [194.99.75.166]) by hub.freebsd.org (Postfix) with ESMTP id 872FD37B403 for ; Tue, 14 Aug 2001 14:35:56 -0700 (PDT) (envelope-from root@nihil.plaut.de) Received: (from uucp@localhost) by ns.plaut.de (8.9.3/8.9.3) with UUCP id XAA05172 for audit@freebsd.org; Tue, 14 Aug 2001 23:35:54 +0200 (CEST) (envelope-from root@nihil.plaut.de) Received: from localhost (root@localhost) by nihil.plaut.de (8.11.3/8.8.8) with ESMTP id f7ENZDB00716 for ; Wed, 15 Aug 2001 01:35:13 +0200 (CEST) (envelope-from root@nihil) Date: Wed, 15 Aug 2001 01:35:13 +0200 (CEST) From: Michael Reifenberger To: Subject: linux ipcs dowsn't work in emulation Message-ID: <20010815013309.D479-200000@nihil> MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="0-230822642-997788241=:7052" Content-ID: <20010815013309.V479@nihil> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-230822642-997788241=:7052 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20010815013309.Q479@nihil> Hi, could one please review and commit the attached patch. It is the needed step in getting "/compat/linux/usr/bin/ipcs -s" working. Furthermore it enhances the sysv[sem|shm] sysctl's into tunables so they can preset to usable values on modload time. I've also filed a pr for this as a reminder: http://www.freebsd.org/cgi/query-pr.cgi?pr=29698 Bye! ---- Michael Reifenberger ^.*Plaut.*$, IT, R/3 Basis, GPS --0-230822642-997788241=:7052 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="sem.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20010814132401.B7052@nihil> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="sem.patch" LS0tIC4vaTM4Ni9saW51eC9saW51eC5oLm9yaWcJV2VkIEF1ZyAgOCAwMDow OToyOCAyMDAxDQorKysgLi9pMzg2L2xpbnV4L2xpbnV4LmgJTW9uIEF1ZyAx MyAwMDo0MTo1MCAyMDAxDQpAQCAtNDU3LDQgKzQ1Nyw2IEBADQogI2RlZmlu ZQlMSU5VWF9TRVRWQUwJCTE2DQogI2RlZmluZQlMSU5VWF9TRVRBTEwJCTE3 DQorI2RlZmluZQlMSU5VWF9TRU1fU1RBVAkJMTgNCisjZGVmaW5lCUxJTlVY X1NFTV9JTkZPCQkxOQ0KIA0KIC8qDQotLS0gLi9rZXJuL3N5c3Zfc2VtLmMu b3JpZwlTdW4gQXVnIDEyIDEzOjE4OjM0IDIwMDENCisrKyAuL2tlcm4vc3lz dl9zZW0uYwlTdW4gQXVnIDEyIDIzOjMxOjEwIDIwMDENCkBAIC0xNzEsNCAr MTcxLDE0IEBADQogCXJlZ2lzdGVyIGludCBpOw0KIA0KKwlUVU5BQkxFX0lO VF9GRVRDSCgia2Vybi5pcGMuc2VtbWFwIiwgJnNlbWluZm8uc2VtbWFwKTsN CisJVFVOQUJMRV9JTlRfRkVUQ0goImtlcm4uaXBjLnNlbW1uaSIsICZzZW1p bmZvLnNlbW1uaSk7DQorCVRVTkFCTEVfSU5UX0ZFVENIKCJrZXJuLmlwYy5z ZW1tbnMiLCAmc2VtaW5mby5zZW1tbnMpOw0KKwlUVU5BQkxFX0lOVF9GRVRD SCgia2Vybi5pcGMuc2VtbW51IiwgJnNlbWluZm8uc2VtbW51KTsNCisJVFVO QUJMRV9JTlRfRkVUQ0goImtlcm4uaXBjLnNlbW1zbCIsICZzZW1pbmZvLnNl bW1zbCk7DQorCVRVTkFCTEVfSU5UX0ZFVENIKCJrZXJuLmlwYy5zZW1vcG0i LCAmc2VtaW5mby5zZW1vcG0pOw0KKwlUVU5BQkxFX0lOVF9GRVRDSCgia2Vy bi5pcGMuc2VtdW1lIiwgJnNlbWluZm8uc2VtdW1lKTsNCisJVFVOQUJMRV9J TlRfRkVUQ0goImtlcm4uaXBjLnNlbXVzeiIsICZzZW1pbmZvLnNlbXVzeik7 DQorCVRVTkFCTEVfSU5UX0ZFVENIKCJrZXJuLmlwYy5zZW12bXgiLCAmc2Vt aW5mby5zZW12bXgpOw0KKwlUVU5BQkxFX0lOVF9GRVRDSCgia2Vybi5pcGMu c2VtYWVtIiwgJnNlbWluZm8uc2VtYWVtKTsNCiAJc2VtID0gbWFsbG9jKHNp emVvZihzdHJ1Y3Qgc2VtKSAqIHNlbWluZm8uc2VtbW5zLCBNX1NFTSwgTV9X QUlUT0spOw0KIAlpZiAoc2VtID09IE5VTEwpDQpAQCAtNDcxLDQgKzQ4MSwy MSBAQA0KIAkJcmV0dXJuIChFTk9TWVMpOw0KIA0KKwlzd2l0Y2goY21kKSB7 DQorCWNhc2UgU0VNX1NUQVQ6DQorCQlpZiAoc2VtaWQgPCAwIHx8IHNlbWlk ID49IHNlbWluZm8uc2VtbXNsKQ0KKwkgCQlyZXR1cm4oRUlOVkFMKTsNCisJ CXNlbWFwdHIgPSAmc2VtYVtzZW1pZF07DQorCQlpZiAoKHNlbWFwdHItPnNl bV9wZXJtLm1vZGUgJiBTRU1fQUxMT0MpID09IDAgKQ0KKwkJCXJldHVybihF SU5WQUwpOw0KKwkJaWYgKChldmFsID0gaXBjcGVybShwLCAmc2VtYXB0ci0+ c2VtX3Blcm0sIElQQ19SKSkpDQorCQkJcmV0dXJuKGV2YWwpOw0KKwkJaWYg KChldmFsID0gY29weWluKGFyZywgJnJlYWxfYXJnLCBzaXplb2YocmVhbF9h cmcpKSkgIT0gMCkNCisJCQlyZXR1cm4oZXZhbCk7DQorCQlldmFsID0gY29w eW91dCgoY2FkZHJfdClzZW1hcHRyLCByZWFsX2FyZy5idWYsDQorCQkgICAg c2l6ZW9mKHN0cnVjdCBzZW1pZF9kcykpOw0KKwkJcnZhbCA9IElYU0VRX1RP X0lQQ0lEKHNlbWlkLHNlbWFwdHItPnNlbV9wZXJtKTsNCisJCWdvdG8gb3V0 Ow0KKwl9DQorDQogCXNlbWlkID0gSVBDSURfVE9fSVgoc2VtaWQpOw0KIAlp ZiAoc2VtaWQgPCAwIHx8IHNlbWlkID49IHNlbWluZm8uc2VtbXNsKQ0KQEAg LTYwMiw0ICs2MjksNiBAQA0KIAkJcmV0dXJuKEVJTlZBTCk7DQogCX0NCisJ DQorb3V0Og0KIA0KIAlpZiAoZXZhbCA9PSAwKQ0KLS0tIC4va2Vybi9zeXN2 X3NobS5jLm9yaWcJU3VuIEF1ZyAxMiAxMzoxODo0MyAyMDAxDQorKysgLi9r ZXJuL3N5c3Zfc2htLmMJU3VuIEF1ZyAxMiAyMToxMTozNiAyMDAxDQpAQCAt NzE2LDQgKzcxNiwxMCBAQA0KIAlpbnQgaTsNCiANCitUVU5BQkxFX0lOVF9G RVRDSCgia2Vybi5pcGMuc2htbWF4cGdzIiwgJnNobWluZm8uc2htYWxsKTsN CitzaG1pbmZvLnNobW1heCA9IHNobWluZm8uc2htYWxsICogUEFHRV9TSVpF Ow0KK1RVTkFCTEVfSU5UX0ZFVENIKCJrZXJuLmlwYy5zaG1taW4iLCAmc2ht aW5mby5zaG1taW4pOw0KK1RVTkFCTEVfSU5UX0ZFVENIKCJrZXJuLmlwYy5z aG1tbmkiLCAmc2htaW5mby5zaG1tbmkpOw0KK1RVTkFCTEVfSU5UX0ZFVENI KCJrZXJuLmlwYy5zaG1zZWciLCAmc2htaW5mby5zaG1zZWcpOw0KK1RVTkFC TEVfSU5UX0ZFVENIKCJrZXJuLmlwYy5zaG1fdXNlX3BoeXMiLCAmc2htX3Vz ZV9waHlzKTsNCiAJc2htYWxsb2NlZCA9IHNobWluZm8uc2htbW5pOw0KIAlz aG1zZWdzID0gbWFsbG9jKHNobWFsbG9jZWQgKiBzaXplb2Yoc2htc2Vnc1sw XSksIE1fU0hNLCBNX1dBSVRPSyk7DQotLS0gLi9zeXMvc2VtLmgub3JpZwlT dW4gQXVnIDEyIDIzOjE3OjMyIDIwMDENCisrKyAuL3N5cy9zZW0uaAlNb24g QXVnIDEzIDAwOjQwOjUwIDIwMDENCkBAIC01OSw0ICs1OSw2IEBADQogI2Rl ZmluZSBTRVRWQUwJOAkvKiBTZXQgdGhlIHZhbHVlIG9mIHNlbXZhbCB0byBh cmcudmFsIHtBTFRFUn0gKi8NCiAjZGVmaW5lIFNFVEFMTAk5CS8qIFNldCBz ZW12YWxzIGZyb20gYXJnLmFycmF5IHtBTFRFUn0gKi8NCisjZGVmaW5lIFNF TV9TVEFUIDEwIC8qIExpa2UgSVBDX1NUQVQgYnV0IHRyZWF0cyBzZW1pZCBh cyBzZW1hLWluZGV4Ki8NCisjZGVmaW5lIFNFTV9JTkZPIDExIC8qIGZvciBm dXR1cmUgdXNlICovDQogDQogLyoNCi0tLSAuL2NvbXBhdC9saW51eC9saW51 eF9pcGMuYy5vcmlnCVNhdCBBdWcgIDQgMTc6NDk6MzMgMjAwMQ0KKysrIC4v Y29tcGF0L2xpbnV4L2xpbnV4X2lwYy5jCU1vbiBBdWcgMTMgMDA6NDU6Mjcg MjAwMQ0KQEAgLTQxLDQgKzQxLDM0IEBADQogI2luY2x1ZGUgPGNvbXBhdC9s aW51eC9saW51eF91dGlsLmg+DQogDQorc3RydWN0IGxpbnV4X3NlbWluZm8g ew0KKyAgICAgICAgaW50IHNlbW1hcDsNCisgICAgICAgIGludCBzZW1tbmk7 DQorICAgICAgICBpbnQgc2VtbW5zOw0KKyAgICAgICAgaW50IHNlbW1udTsN CisgICAgICAgIGludCBzZW1tc2w7DQorICAgICAgICBpbnQgc2Vtb3BtOw0K KyAgICAgICAgaW50IHNlbXVtZTsNCisgICAgICAgIGludCBzZW11c3o7DQor ICAgICAgICBpbnQgc2Vtdm14Ow0KKyAgICAgICAgaW50IHNlbWFlbTsNCit9 Ow0KKw0KK3N0cnVjdCBsaW51eF9zaG1pbmZvIHsNCisgICAgICAgIGludCBz aG1tYXg7DQorICAgICAgICBpbnQgc2htbWluOw0KKyAgICAgICAgaW50IHNo bW1uaTsNCisgICAgICAgIGludCBzaG1zZWc7DQorICAgICAgICBpbnQgc2ht YWxsOw0KK307DQorDQorc3RydWN0IGxpbnV4X3NobV9pbmZvIHsNCisgICAg ICAgIGludCB1c2VkX2lkczsNCisgICAgICAgIHVuc2lnbmVkIGxvbmcgc2ht X3RvdDsgIC8qIHRvdGFsIGFsbG9jYXRlZCBzaG0gKi8NCisgICAgICAgIHVu c2lnbmVkIGxvbmcgc2htX3JzczsgIC8qIHRvdGFsIHJlc2lkZW50IHNobSAq Lw0KKyAgICAgICAgdW5zaWduZWQgbG9uZyBzaG1fc3dwOyAgLyogdG90YWwg c3dhcHBlZCBzaG0gKi8NCisgICAgICAgIHVuc2lnbmVkIGxvbmcgc3dhcF9h dHRlbXB0czsNCisgICAgICAgIHVuc2lnbmVkIGxvbmcgc3dhcF9zdWNjZXNz ZXM7DQorfTsNCisNCiBzdHJ1Y3QgbGludXhfaXBjX3Blcm0gew0KICAgICBs aW51eF9rZXlfdCBrZXk7DQpAQCAtMTgzLDQgKzIxMyw1IEBADQogew0KIAlz dHJ1Y3QgbGludXhfc2VtaWRfZHMJbGludXhfc2VtaWQ7DQorCXN0cnVjdCBs aW51eF9zZW1pbmZvIGxpbnV4X3NlbWluZm87DQogCXN0cnVjdCBzZW1pZF9k cwlic2Rfc2VtaWQ7DQogCXN0cnVjdCBfX3NlbWN0bF9hcmdzIC8qIHsNCkBA IC0yMzgsNSArMjY5LDkgQEANCiAJCXJldHVybiBfX3NlbWN0bChwLCAmYnNk X2FyZ3MpOw0KIAljYXNlIExJTlVYX0lQQ19TVEFUOg0KLQkJYnNkX2FyZ3Mu Y21kID0gSVBDX1NUQVQ7DQorCWNhc2UgTElOVVhfU0VNX1NUQVQ6DQorCQlp ZiggYXJncy0+YXJnMyA9PSBJUENfU1RBVCApDQorCQkJYnNkX2FyZ3MuY21k ID0gSVBDX1NUQVQ7DQorCQllbHNlDQorCQkJYnNkX2FyZ3MuY21kID0gU0VN X1NUQVQ7DQogCQl1bnB0ciA9IHN0YWNrZ2FwX2FsbG9jKCZzZywgc2l6ZW9m KHVuaW9uIHNlbXVuICopKTsNCiAJCWRzcCA9IHN0YWNrZ2FwX2FsbG9jKCZz Zywgc2l6ZW9mKHN0cnVjdCBzZW1pZF9kcykpOw0KQEAgLTI1NSw1ICsyOTAs MjQgQEANCiAJCWlmIChlcnJvcikNCiAJCQlyZXR1cm4gZXJyb3I7DQorCQlw LT5wX3JldHZhbFswXSA9IElYU0VRX1RPX0lQQ0lEKGJzZF9hcmdzLnNlbWlk LCBic2Rfc2VtaWQuc2VtX3Blcm0pOw0KIAkJcmV0dXJuIGNvcHlvdXQoKGNh ZGRyX3QpJmxpbnV4X3NlbWlkLCBsZHNwLCBzaXplb2YobGludXhfc2VtaWQp KTsNCisJY2FzZSBMSU5VWF9JUENfSU5GTzoNCisJY2FzZSBMSU5VWF9TRU1f SU5GTzoNCisJCWVycm9yID0gY29weWluKGFyZ3MtPnB0ciwgJmxkc3AsIHNp emVvZihsZHNwKSk7DQorCQlpZiAoZXJyb3IpDQorCQkJcmV0dXJuIGVycm9y Ow0KKwkJYmNvcHkoJnNlbWluZm8sICZsaW51eF9zZW1pbmZvLCBzaXplb2Yo bGludXhfc2VtaW5mbykgKTsNCisvKiBYWFggDQorI2RlZmluZSB1c2VkX3Nl bWlkcyAxMA0KKyNkZWZpbmUgdXNlZF9zZW1zIDEwDQorCSAgICAgICAgbGlu dXhfc2VtaW5mby5zZW11c3ogPSB1c2VkX3NlbWlkczsNCisgICAJCSAgICBs aW51eF9zZW1pbmZvLnNlbWFlbSA9IHVzZWRfc2VtczsNCisJCX0gKi8NCisJ CWVycm9yID0gY29weW91dCgoY2FkZHJfdCkmbGludXhfc2VtaW5mbywgbGRz cCwgDQorCQkJCXNpemVvZihsaW51eF9zZW1pbmZvKSApOw0KKwkJaWYgKGVy cm9yKQ0KKwkJCXJldHVybiBlcnJvcjsNCisJCXAtPnBfcmV0dmFsWzBdID0g c2VtaW5mby5zZW1tbmk7DQorCQlyZXR1cm4oMCk7DQogCWNhc2UgTElOVVhf R0VUQUxMOg0KIAkJLyogRkFMTFRIUk9VR0ggKi8NCg== --0-230822642-997788241=:7052-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 15:16: 2 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 26AE937B401 for ; Tue, 14 Aug 2001 15:15:55 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.3) id f7EMb5034739; Tue, 14 Aug 2001 18:37:05 -0400 (EDT) (envelope-from mike) Date: Tue, 14 Aug 2001 18:37:05 -0400 From: Mike Barcroft To: Kris Kennaway Cc: audit@FreeBSD.org Subject: Re: WFORMAT=1 errors Message-ID: <20010814183705.A34215@coffee.q9media.com> Mail-Followup-To: Mike Barcroft , Kris Kennaway , audit@FreeBSD.org References: <20010810182125.A47936@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010810182125.A47936@xor.obsecurity.org>; from kris@obsecurity.org on Fri, Aug 10, 2001 at 06:21:26PM -0700 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Aug 10, 2001 at 06:21:26PM -0700, Kris Kennaway wrote: > I'm going to start locking down the bits of the tree which compile > with WFORMAT=1. In the meantime, does anyone feel like fixing some of > the following from usr.bin/ (this is a warning list from alpha: most > of these are probably easy to fix, although some are impossible)? [...] > ===> ncal > Warning: Object directory not changed from original /j/kris/src/usr.bin/ncal > cc -O -pipe -mcpu=ev5 -Wall -Wmissing-prototypes -fstrict-prototypes -ansi -pedantic -Wnon-const-format -Wno-format-extra-args -Werror -c ncal.c > cc1: warnings being treated as errors > ncal.c: In function `mkmonth': > ncal.c:590: warning: flag `O' used with type `B' > ncal.c: In function `mkmonthb': > ncal.c:682: warning: flag `O' used with type `B' > *** Error code 1 > `all' not remade because of errors. [...] I don't think this warning can be fixed without modifying GCC. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 18:50:45 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 8B96637B408; Tue, 14 Aug 2001 18:50:41 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id LAA02772; Wed, 15 Aug 2001 11:50:30 +1000 Date: Wed, 15 Aug 2001 11:47:55 +1000 (EST) From: Bruce Evans X-X-Sender: To: Seth Kingsley Cc: Kris Kennaway , , Subject: Re: WFORMAT=1 errors In-Reply-To: <20010814140659.C12506@meow.lab.nuxi.com> Message-ID: <20010815113407.X17074-100000@besplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 14 Aug 2001, Seth Kingsley wrote: > On Tue, Aug 14, 2001 at 02:40:27AM -0700, Kris Kennaway wrote: > > Make it a const char fmt[]. gcc doesn't complain if you repoint fmt > > to something else if it's a const char * -- that something else can be > > variable input and therefore potentially insecure: > > Ahh, right you are, the const qualifier can be granted later through a > function call. It's a negative grant, and can be granted in other ways (mainly by assignment and casts). > > [...] > > > > (Note: no variable format string warning, and we get extra warnings if > > we try and repoint it anyway). > > My problem with this is that the strings can not always be declared as > character arrays. In the usr.bin/make case in fact, the format strings > are kept in a structure that defines how different command syntaxes for > different shells get passed as arguments to them. > > struct shell_desc { > const char *echo_fmt; > }; > > static struct shell_desc sh_desc = {"echo \"%s\""}; > > sprintf(cmd, sh_desc, echo_str); > > Is there any way around this? No (modulo bugs). Format strings that have been constructed at runtime (e.g., using sprintf(), or read from a message catalog) can't pass the WFORMAT=1 checks, since a different construction might give buffer overruns or arg mismatches. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 19:57:46 2001 Delivered-To: freebsd-audit@freebsd.org Received: from meow.lab.nuxi.com (meow.lab.nuxi.com [66.123.5.2]) by hub.freebsd.org (Postfix) with ESMTP id CE29137B40A; Tue, 14 Aug 2001 19:57:40 -0700 (PDT) (envelope-from sethk@meow.lab.nuxi.com) Received: (from sethk@localhost) by meow.lab.nuxi.com (8.11.4/8.11.2) id f7F2uSN22871; Tue, 14 Aug 2001 19:56:28 -0700 (PDT) (envelope-from sethk) Date: Tue, 14 Aug 2001 19:56:28 -0700 From: Seth Kingsley To: Bruce Evans Cc: Kris Kennaway , obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814195628.F12506@meow.lab.nuxi.com> References: <20010814140659.C12506@meow.lab.nuxi.com> <20010815113407.X17074-100000@besplex.bde.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ni93GHxFvA+th69W" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010815113407.X17074-100000@besplex.bde.org>; from bde@zeta.org.au on Wed, Aug 15, 2001 at 11:47:55AM +1000 Organization: Wind River Systems X-Operating-System: FreeBSD 4.3-STABLE i386 X-GPG-Key-ID: 1024D/5C413B08 X-GPG-Key-Fingerprint: F772 5D24 02B4 D233 90F5 080F 0F50 3298 5C41 3B08 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --ni93GHxFvA+th69W Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 15, 2001 at 11:47:55AM +1000, Bruce Evans wrote: > On Tue, 14 Aug 2001, Seth Kingsley wrote: > > > > struct shell_desc { > > const char *echo_fmt; > > }; > > > > static struct shell_desc sh_desc =3D {"echo \"%s\""}; > > > > sprintf(cmd, sh_desc, echo_str); > > > > Is there any way around this? >=20 > No (modulo bugs). Format strings that have been constructed at runtime > (e.g., using sprintf(), or read from a message catalog) can't pass the > WFORMAT=3D1 checks, since a different construction might give buffer > overruns or arg mismatches. Argh, but this code snippet is clearly not in violation of those rules. --=20 || Seth Kingsley || Platforms Lab Opps || seth.kingsley@windriver.com || --ni93GHxFvA+th69W Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7eeTcD1AymFxBOwgRArPsAJ9M6TYLXfx+ABpbdNXXvMhgaRbXUQCff/q2 6DgiSHMpWK5/zMzx90reBrY= =rAE0 -----END PGP SIGNATURE----- --ni93GHxFvA+th69W-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 20:26:13 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-252.dsl.lsan03.pacbell.net [64.169.104.252]) by hub.freebsd.org (Postfix) with ESMTP id 7313937B440; Tue, 14 Aug 2001 20:26:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 10ECD66F68; Tue, 14 Aug 2001 20:25:53 -0700 (PDT) Date: Tue, 14 Aug 2001 20:25:52 -0700 From: Kris Kennaway To: Bruce Evans Cc: Seth Kingsley , Kris Kennaway , obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814202552.B44589@xor.obsecurity.org> References: <20010814140659.C12506@meow.lab.nuxi.com> <20010815113407.X17074-100000@besplex.bde.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OwLcNYc0lM97+oe1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010815113407.X17074-100000@besplex.bde.org>; from bde@zeta.org.au on Wed, Aug 15, 2001 at 11:47:55AM +1000 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --OwLcNYc0lM97+oe1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Aug 15, 2001 at 11:47:55AM +1000, Bruce Evans wrote: > No (modulo bugs). Format strings that have been constructed at runtime > (e.g., using sprintf(), or read from a message catalog) can't pass the > WFORMAT=1 checks, since a different construction might give buffer > overruns or arg mismatches. Actually, fmtcheck() can be used to sanitize variable format strings and silence the warning - but it isn't always convenient to use. For one thing, there isn't always a good default format string to use in case of format string/argument mismatch: I haven't thought of anything better to use in this case other than something like "Recovered format string error: %s %s %x" or similar :-/ Other common causes of the warning are using a switch() to format arguments of different types in different cases (fmt="%c", fmt="%x", fmt="%d" etc). Sometimes these cases can be rewritten to avoid the need to assign a format string variable, but it can also be inconvenient. It would be nice to be able to silence gcc in the cases where you know within the logic of the code that the format string can never be abused. Kris --OwLcNYc0lM97+oe1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7eevAWry0BWjoQKURAnXsAJ4vcUj6cVgrvy0zJO3c0dI6zJHa0wCfXE73 PI9daIo9jsT2uTUriVcUb2A= =WI5V -----END PGP SIGNATURE----- --OwLcNYc0lM97+oe1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 20:29:11 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-252.dsl.lsan03.pacbell.net [64.169.104.252]) by hub.freebsd.org (Postfix) with ESMTP id 7B8F137B406; Tue, 14 Aug 2001 20:29:05 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id D1FBB66F68; Tue, 14 Aug 2001 20:29:04 -0700 (PDT) Date: Tue, 14 Aug 2001 20:29:04 -0700 From: Kris Kennaway To: Mike Barcroft Cc: Kris Kennaway , audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814202904.A45610@xor.obsecurity.org> References: <20010810182125.A47936@xor.obsecurity.org> <20010814183705.A34215@coffee.q9media.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010814183705.A34215@coffee.q9media.com>; from mike@FreeBSD.ORG on Tue, Aug 14, 2001 at 06:37:05PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 14, 2001 at 06:37:05PM -0400, Mike Barcroft wrote: > On Fri, Aug 10, 2001 at 06:21:26PM -0700, Kris Kennaway wrote: > > I'm going to start locking down the bits of the tree which compile > > with WFORMAT=3D1. In the meantime, does anyone feel like fixing some of > > the following from usr.bin/ (this is a warning list from alpha: most > > of these are probably easy to fix, although some are impossible)? >=20 > [...] > > =3D=3D=3D> ncal > > Warning: Object directory not changed from original /j/kris/src/usr.bin= /ncal > > cc -O -pipe -mcpu=3Dev5 -Wall -Wmissing-prototypes -fstrict-prototypes = -ansi -pedantic -Wnon-const-format -Wno-format-extra-args -Werror -c nca= l.c > > cc1: warnings being treated as errors > > ncal.c: In function `mkmonth': > > ncal.c:590: warning: flag `O' used with type `B' > > ncal.c: In function `mkmonthb': > > ncal.c:682: warning: flag `O' used with type `B' > > *** Error code 1 > > `all' not remade because of errors. > [...] >=20 > I don't think this warning can be fixed without modifying GCC. Yeah..there are others like this too. Still, we can do what we can. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7eeyAWry0BWjoQKURAhb6AJ9XH/jQXkfxtQ2zT6f6rAD5op9+egCg2LgG DMghzWH2T/laLBrS10W6TGk= =h8eY -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Aug 14 21: 4:41 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id BD36037B401; Tue, 14 Aug 2001 21:04:33 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id OAA19133; Wed, 15 Aug 2001 14:04:24 +1000 Date: Wed, 15 Aug 2001 14:01:49 +1000 (EST) From: Bruce Evans X-X-Sender: To: Seth Kingsley Cc: Kris Kennaway , , Subject: Re: WFORMAT=1 errors In-Reply-To: <20010814195628.F12506@meow.lab.nuxi.com> Message-ID: <20010815132535.A17665-100000@besplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 14 Aug 2001, Seth Kingsley wrote: > On Wed, Aug 15, 2001 at 11:47:55AM +1000, Bruce Evans wrote: > > On Tue, 14 Aug 2001, Seth Kingsley wrote: > > > > > > struct shell_desc { > > > const char *echo_fmt; > > > }; > > > > > > static struct shell_desc sh_desc = {"echo \"%s\""}; > > > > > > sprintf(cmd, sh_desc, echo_str); > > > > > > Is there any way around this? > > > > No (modulo bugs). Format strings that have been constructed at runtime > > (e.g., using sprintf(), or read from a message catalog) can't pass the > > WFORMAT=1 checks, since a different construction might give buffer > > overruns or arg mismatches. > > Argh, but this code snippet is clearly not in violation of those rules. But it is. shell_desc is a trivial message catalog which you happen never to change. In make/job.c, the message catalog is sometimes "read" from shells[shellnum], but it is read from makefiles for the .SHELL directive! See jobParseShell() and the make tutorial. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Aug 15 14:28: 2 2001 Delivered-To: freebsd-audit@freebsd.org Received: from iatl0x01.coxmail.com (iatl0x02.coxmail.com [206.157.225.11]) by hub.freebsd.org (Postfix) with ESMTP id 0919837B409; Wed, 15 Aug 2001 14:27:54 -0700 (PDT) (envelope-from mheffner@novacoxmail.com) Received: from enterprise.muriel.penguinpowered.com ([209.249.198.70]) by iatl0x01.coxmail.com (InterMail vK.4.03.02.00 201-232-124 license eaa2928f5bcba31507d4d280f1027278) with ESMTP id <20010815212751.GIY1246.iatl0x01@enterprise.muriel.penguinpowered.com>; Wed, 15 Aug 2001 17:27:51 -0400 Message-ID: X-Mailer: XFMail 1.5.0 on FreeBSD X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="_=XFMail.1.5.0.FreeBSD:20010815162830:291=_"; micalg=pgp-md5; protocol="application/pgp-signature" In-Reply-To: <20010814085203.2D2AC37B408@hub.freebsd.org> Date: Wed, 15 Aug 2001 17:26:28 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: (Joseph Koshy) Subject: Re: bin/29625: limits -d etc. should not output warning Cc: freebsd-audit@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format --_=XFMail.1.5.0.FreeBSD:20010815162830:291=_ Content-Type: text/plain; charset=us-ascii On 14-Aug-2001 Joseph Koshy wrote: | | The problem turns out to be in our implementation of `getopt(3)' | and not in /usr/bin/limits. | | If 'optstring' passed to getopt() starts with a leading ':', then getopt() | should not print a warning for missing arguments. The attached patch fixes | this. | | Could someone on -audit please review? Looks good. Is this to be an MFC candidate? Mike -- Mike Heffner Fredericksburg, VA --_=XFMail.1.5.0.FreeBSD:20010815162830:291=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7etttFokZQs3sv5kRAubUAJ9J2HHhfvoEcOOmir2BYWDBYgbKjACdG/CY gjSAJ7F5ZEzON6cmSIAulm4= =yfPD -----END PGP SIGNATURE----- --_=XFMail.1.5.0.FreeBSD:20010815162830:291=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Aug 16 2:19:47 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.musha.org (daemon.musha.org [61.122.44.178]) by hub.freebsd.org (Postfix) with ESMTP id 70CF837B407; Thu, 16 Aug 2001 02:19:27 -0700 (PDT) (envelope-from knu@iDaemons.org) Received: from archon.local.idaemons.org (archon.local.idaemons.org [192.168.1.32]) by mail.musha.org (Postfix) with ESMTP id A0E064D835; Thu, 16 Aug 2001 18:19:22 +0900 (JST) Date: Thu, 16 Aug 2001 18:19:22 +0900 Message-ID: <86k804weed.wl@archon.local.idaemons.org> From: "Akinori MUSHA" To: audit@FreeBSD.org Cc: "Brian F. Feldman" , Mike Barcroft , ports@FreeBSD.org Subject: Re: adding -P option to pkg_delete(1) In-Reply-To: <200108122310.f7CNAUZ01898@green.bikeshed.org> References: <86ofpl0yq8.wl@archon.local.idaemons.org> <200108122310.f7CNAUZ01898@green.bikeshed.org> User-Agent: Wanderlust/2.7.1 (Too Funky) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-1?Q?Unebigory=F2mae?=) APEL/10.3 MULE XEmacs/21.1 (patch 14) (Cuyahoga Valley) (i386--freebsd) Organization: Associated I. Daemons X-PGP-Public-Key: finger knu@FreeBSD.org X-PGP-Fingerprint: 081D 099C 1705 861D 4B70 B04A 920B EFC7 9FD9 E1EE MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG OK, adopting green's suggestion I'd propose the attached patch again. FWIW, I've confirmed that it works. Since I've had no objection against it so far, I'm going to commit it this weekend and do MFC after the 4.4-RELEASE unless someone objects. FYI, 4.4-RELEASE users can use my pkg_deinstall(1) utility included in sysutils/portupgrade. It is a wrapper of pkg_delete(1) with almost upper compatible syntax, and which already has the -P option. Mental note: We'll have to audit the whole pkg_install code to eliminate possible buffer overflows. -- / /__ __ Akinori.org / MUSHA.org / ) ) ) ) / FreeBSD.org / Ruby-lang.org Akinori MUSHA aka / (_ / ( (__( @ iDaemons.org / and.or.jp "Freeze this moment a little bit longer, make each impression a little bit stronger.. Experience slips away -- Time stand still" Index: add/perform.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/add/perform.c,v retrieving revision 1.65 diff -u -r1.65 perform.c --- add/perform.c 2001/08/15 14:22:01 1.65 +++ add/perform.c 2001/08/15 19:57:59 @@ -480,7 +480,7 @@ fail: /* Nuke the whole (installed) show, XXX but don't clean directories */ if (!Fake) - delete_package(FALSE, FALSE, &Plist); + delete_package(FALSE, FALSE, FALSE, &Plist); success: /* delete the packing list contents */ Index: delete/delete.h =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/delete/delete.h,v retrieving revision 1.6 diff -u -r1.6 delete.h --- delete/delete.h 2001/02/27 09:00:18 1.6 +++ delete/delete.h 2001/08/05 17:39:55 @@ -28,6 +28,7 @@ extern Boolean Interactive; extern Boolean NoDeInstall; extern Boolean Force; +extern Boolean PreserveShlib; extern char *Directory; extern char *PkgName; extern match_t MatchType; Index: delete/main.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/delete/main.c,v retrieving revision 1.22 diff -u -r1.22 main.c --- delete/main.c 2001/08/02 13:13:05 1.22 +++ delete/main.c 2001/08/06 06:22:43 @@ -30,12 +30,13 @@ #include "lib.h" #include "delete.h" -static char Options[] = "adDfGhinp:vx"; +static char Options[] = "adDfGhinp:Pvx"; char *Prefix = NULL; Boolean CleanDirs = FALSE; Boolean Interactive = FALSE; Boolean NoDeInstall = FALSE; +Boolean PreserveShlib = FALSE; match_t MatchType = MATCH_GLOB; static void usage __P((void)); @@ -93,6 +94,10 @@ Interactive = TRUE; break; + case 'P': + PreserveShlib = TRUE; + break; + case 'h': case '?': default: @@ -148,7 +153,7 @@ usage() { fprintf(stderr, "%s\n%s\n", - "usage: pkg_delete [-dDfGinvx] [-p prefix] pkg-name ...", + "usage: pkg_delete [-dDfGinPvx] [-p prefix] pkg-name ...", " pkg_delete -a [flags]"); exit(1); } Index: delete/perform.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/delete/perform.c,v retrieving revision 1.32 diff -u -r1.32 perform.c --- delete/perform.c 2001/08/02 13:13:05 1.32 +++ delete/perform.c 2001/08/05 17:40:22 @@ -217,7 +217,7 @@ * Some packages aren't packed right, so we need to just ignore * delete_package()'s status. Ugh! :-( */ - if (delete_package(FALSE, CleanDirs, &Plist) == FAIL) + if (delete_package(FALSE, CleanDirs, PreserveShlib, &Plist) == FAIL) warnx( "couldn't entirely delete package (perhaps the packing list is\n" "incorrectly specified?)"); Index: delete/pkg_delete.1 =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/delete/pkg_delete.1,v retrieving revision 1.26 diff -u -r1.26 pkg_delete.1 --- delete/pkg_delete.1 2001/07/15 08:02:37 1.26 +++ delete/pkg_delete.1 2001/08/06 06:20:53 @@ -25,7 +25,7 @@ .Nd a utility for deleting previously installed software package distributions .Sh SYNOPSIS .Nm -.Op Fl dDfGinvx +.Op Fl dDfGinPvx .Op Fl p Ar prefix .Ar pkg-name ... .Nm @@ -91,6 +91,14 @@ which do not explicitly set theirs. For most packages, the prefix will be set automatically to the installed location by .Xr pkg_add 1 . +.It Fl P +Preserve (possible) shared library files that end with the +.Dq .so , +.Dq .so.X , +or +.Dq .so.X.Y +suffix. This is useful when you suspect that you still have some +binaries that depend on the shared library being deleted. .It Fl d Remove empty directories created by file cleanup. By default, only files/directories explicitly listed in a package's contents (either as Index: lib/lib.h =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/lib/lib.h,v retrieving revision 1.37 diff -u -r1.37 lib.h --- lib/lib.h 2001/08/13 04:18:30 1.37 +++ lib/lib.h 2001/08/13 15:21:51 @@ -171,7 +171,7 @@ void write_plist(Package *, FILE *); void read_plist(Package *, FILE *); int plist_cmd(char *, char **); -int delete_package(Boolean, Boolean, Package *); +int delete_package(Boolean, Boolean, Boolean, Package *); Boolean make_preserve_name(char *, int, char *, char *); /* For all */ Index: lib/plist.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pkg_install/lib/plist.c,v retrieving revision 1.34 diff -u -r1.34 plist.c --- lib/plist.c 2001/08/02 12:38:29 1.34 +++ lib/plist.c 2001/08/16 09:06:09 @@ -26,6 +26,7 @@ #include "lib.h" #include #include +#include /* Add an item to a packing list */ void @@ -346,13 +347,28 @@ } /* + * Check if the given filename looks like a shared library. + */ +static Boolean +is_shlib(const char *filename) { + regex_t reg; + Boolean ret; + + if (regcomp(®, "[^/]\\.so(\\.[[:digit:]]+)*$", REG_EXTENDED) != 0) + return (FALSE); + ret = regexec(®, filename, 0, NULL, 0) == 0; + regfree(®); + return (ret); +} + +/* * Delete the results of a package installation. * * This is here rather than in the pkg_delete code because pkg_add needs to * run it too in cases of failure. */ int -delete_package(Boolean ign_err, Boolean nukedirs, Package *pkg) +delete_package(Boolean ign_err, Boolean nukedirs, Boolean preserve_shlib, Package *pkg) { PackingList p; char *Where = ".", *last_file = ""; @@ -389,7 +405,12 @@ case PLIST_FILE: last_file = p->name; - sprintf(tmp, "%s/%s", Where, p->name); + sprintf(tmp, "%s/%s", Where, last_file); + if (preserve_shlib && is_shlib(last_file)) { + if (Verbose) + printf("Preserve shared library file %s\n", tmp); + continue; + } if (isdir(tmp) && fexists(tmp) && !issymlink(tmp)) { warnx("cannot delete specified file '%s' - it is a directory!\n" "this packing list is incorrect - ignoring delete request", tmp); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Aug 16 2:49:14 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mimer.webgiro.com (mailer2.webgiro.com [213.162.131.18]) by hub.freebsd.org (Postfix) with ESMTP id 8D78337B4CF; Thu, 16 Aug 2001 02:48:59 -0700 (PDT) (envelope-from abial@webgiro.com) Received: from webgiro.com (mailer2.webgiro.com [213.162.131.18]) by mimer.webgiro.com (Postfix) with ESMTP id 3C4C368534; Thu, 16 Aug 2001 11:48:49 +0200 (CEST) Message-ID: <3B7B9643.9CA874D9@webgiro.com> Date: Thu, 16 Aug 2001 11:45:40 +0200 From: Andrzej Bialecki Organization: WebGiro AB X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Pentchev Cc: arch@FreeBSD.org, audit@FreeBSD.org Subject: Re: sysctl_register_oid() breakage at unload [PATCH] References: <20010811233452.A510@ringworld.oblivion.bg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Peter Pentchev wrote: > > Hi, > > Well, it seems that I broke things with the panic at attempts to > register oid's higher than the first dynamic oid. Specifically, > this broke the case of unregistering sysctl's, esp. at module unload. > The algorithm described in the sysctl_ctx_free(9) manpage is indeed > so very weird (I won't go so far as calling it 'stupid', because > I cannot really suggest any way to improve it right now). I hear you :-) Actually, I agree with your statement - the current algorithm is a brute force approach. The "proper" way to do it would be to keep a ref count - however, at the time I implemented this I ran out of time. Feel free to finish it. Also, IMHO the border between static and dynamic sysctls should be a much higher number (say, 32767). > So, if a sysctl context is freed, most of the time the first pass > of freeing will fail, and sysctl_ctx_free() will attempt to reregister > the sysctls with the same oid's; this, of course, causes a panic, > because sysctl_register_oid() does not like so high a "static" oid :( > > I just noticed that on my -stable laptop, when I tried to MFC > the patch - my sound driver is only available as a module, and > the kernel panicked at shutdown after attempting to unload it. > For various reasons I cannot run -current on this laptop (not least > because this is the machine I'm using for developing an application > that is supposed to run under -stable), and my -current box did not > really have any need for loadable modules, so that's how this slipped > in unnoticed :( > > So here's a proposed fix: add a "this is actually a re-registering, > stay cool" flag to sysctl_register_oid(), and update all the calls > to it that I could find under src/sys. This flag needs only be set > in sysctl_ctx_free(), all the other callers put a 0. ...having in mind that this is just a bandaid around a suboptimal design. Well, come to that, I'm not sure if we should further uglify the code with this patch... It really should use ref counts instead. Depending on my daytime job, I may try to fix it - otherwise feel free to do it yourself. -- Andrzej // ---------------------------------------------------------------- // Andrzej Bialecki , Chief System Architect // WebGiro AB, Sweden (http://www.webgiro.com) // ---------------------------------------------------------------- // FreeBSD developer (http://www.freebsd.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 17 0:22:20 2001 Delivered-To: freebsd-audit@freebsd.org Received: from peter3.wemm.org (c1315225-a.plstn1.sfba.home.com [24.14.150.180]) by hub.freebsd.org (Postfix) with ESMTP id 41D5237B405; Fri, 17 Aug 2001 00:21:49 -0700 (PDT) (envelope-from peter@wemm.org) Received: from overcee.netplex.com.au (overcee.wemm.org [10.0.0.3]) by peter3.wemm.org (8.11.0/8.11.0) with ESMTP id f7H7LnM51364; Fri, 17 Aug 2001 00:21:49 -0700 (PDT) (envelope-from peter@wemm.org) Received: from wemm.org (localhost [127.0.0.1]) by overcee.netplex.com.au (Postfix) with ESMTP id 0BCD63811; Fri, 17 Aug 2001 00:21:49 -0700 (PDT) (envelope-from peter@wemm.org) X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Mitsuru IWASAKI Cc: arch@FreeBSD.ORG, audit@FreeBSD.ORG, kumabu@t3.rim.or.jp Subject: Re: CFR: Timing to enable CR4.PGE bit In-Reply-To: <20010809035801V.iwasaki@jp.FreeBSD.org> Date: Fri, 17 Aug 2001 00:21:49 -0700 From: Peter Wemm Message-Id: <20010817072149.0BCD63811@overcee.netplex.com.au> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Mitsuru IWASAKI wrote: > Hi, I've found a report in Japanese mailing list that CR4.PGE seems to > be enabled before CR0.PG in locore.s. This was originally reported by > Kumabuchi-san (Thanks!). > > According to developer's manual from Intel site, > ftp://download.intel.com/design/PentiumII/manuals/24319202.pdf > ---- > 2.5. CONTROL REGISTERS > [snip] > PGE > (2-17) > Page Global Enable (bit 7 of CR4). (Introduced in the P6 family > processors.) Enables the global page feature when set; disables the > global page feature when clear. [snip] In addition, the bit must not > ^^^^^^^^^^^^^^^^ > be enabled before paging is enabled via CR0.PG. Program correctness > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > may be affected by reversing this sequence, and processor performance > will be impacted. > ---- > > Currently, we enable CR4.PGE bit in create_pagetables, then enable > CR0.PG in locore.s. This seems to violate Intel's note. > > I've made patches for this, moving CR4.PGE enabling code to just > before calling init386(). > > Index: locore.s > =================================================================== > RCS file: /home/ncvs/src/sys/i386/i386/locore.s,v > retrieving revision 1.144 > diff -u -r1.144 locore.s > --- locore.s 2001/07/12 06:32:50 1.144 > +++ locore.s 2001/08/08 17:49:28 > @@ -374,6 +374,12 @@ > movl IdlePTD,%esi > movl %esi,PCB_CR3(%eax) > > + testl $CPUID_PGE, R(cpu_feature) > + jz 1f > + movl %cr4, %eax > + orl $CR4_PGE, %eax > + movl %eax, %cr4 > +1: > pushl physfree /* value of first for init386(f irst) */ > call init386 /* wire 386 chip for unix opera tion */ > > @@ -718,13 +724,6 @@ > */ > > create_pagetables: > - > - testl $CPUID_PGE, R(cpu_feature) > - jz 1f > - movl %cr4, %eax > - orl $CR4_PGE, %eax > - movl %eax, %cr4 > -1: > > /* Find end of kernel image (rounded up to a page boundary). */ > movl $R(_end),%esi This part is fine. However: > Also I have another thing to be confirmed. Should we utilize TLB by > enabling PGE bit at very later stage? I think it would be more > efficient to cache page entries with G flag in multi-user environment, > not in kernel bootstrap. If we enable PGE bit in locore.s, TLB could > be occupied by entries which is referenced by initialization code > (yes, most of them are executed only once). > # but I could be wrong... The G bit does not "lock" the TLB entries in. All it does is stop unnecessary flushes when %cr3 is changed. If entries are not used for a short while, they will be recycled when the TLB slot is needed for something else soon enough. ie: this should not be a problem. > Anyway, patch for this is attached here. Regardless of my doubts above, I do have a problem with the patch... It only works for the PPro/p2/p3 and not the p4. Is this intentional? All have the CPUID_PGE bit. I think the test for cpu_id & 0x600 is bogus and should be removed. > Thanks. > > Index: initcpu.c > =================================================================== > RCS file: /home/ncvs/src/sys/i386/i386/initcpu.c,v > retrieving revision 1.29 > diff -u -r1.29 initcpu.c > --- initcpu.c 2001/07/13 11:23:06 1.29 > +++ initcpu.c 2001/08/08 15:35:51 > @@ -847,3 +847,23 @@ > printf("CR0=%x\n", cr0); > } > #endif /* DDB */ > + > +/* > + * Enable CR4.PGE after kernel bootstrap. > + */ > + > +static void > +enable_i686_pge(void *unused) > +{ > + > + if ((cpu_feature & CPUID_PGE) && > + (cpu_id & 0xf00) == 0x600) { > + load_cr4(rcr4() | CR4_PGE); > + if (bootverbose) { > + printf("P6 family processor PGE on\n"); > + } > + } > +} > + > +SYSINIT(initcpu, SI_SUB_RUN_SCHEDULER, SI_ORDER_FIRST, enable_i686_pge, NULL ) > + > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > > Cheers, -Peter -- Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 17 6:25:51 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id AEDDE37B403; Fri, 17 Aug 2001 06:25:43 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7HDPhZ07792; Fri, 17 Aug 2001 09:25:43 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 17 Aug 2001 09:25:42 -0400 (EDT) From: "Andrew R. Reiter" To: audit@freebsd.org, security@freebsd.org Subject: login_cap Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hey, Im wondering if there's any real interest for patches to be made for some services so that they do login class, etc authentication? Such an example would be for atrun.c in libexec/atrun/. In my opinion, it is probably worth doing and getting commited, but if no one would commit the patches, I dont see a point in doing them :-) btw, if you're unfamiliar with login caps, check out login_cap(3) and login_class(3). Andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 17 6:48:42 2001 Delivered-To: freebsd-audit@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 48A0B37B405 for ; Fri, 17 Aug 2001 06:48:38 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7HDmbx07970 for ; Fri, 17 Aug 2001 09:48:37 -0400 (EDT) (envelope-from arr@watson.org) Date: Fri, 17 Aug 2001 09:48:37 -0400 (EDT) From: "Andrew R. Reiter" To: audit@freebsd.org Subject: rshd.c diff [openbsd updates] Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-814884151-998056117=:7968" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-814884151-998056117=:7968 Content-Type: TEXT/PLAIN; charset=US-ASCII hi, Patch for moving strncpy's to strlcpy's is attached... And can also be found at: http://www.watson.org/fbsd-audit/libexec/rshd/rshd.c.08172001.diff ...more openbsd->fbsd patches... hehe exciting ;-) andrew *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead --0-814884151-998056117=:7968 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="rshd.c.08172001.diff" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: LS0tIHJzaGQuYy5vcmlnCUZyaSBBdWcgMTcgMTU6NDE6MTYgMjAwMQ0KKysr IHJzaGQuYwlGcmkgQXVnIDE3IDE1OjQ1OjA5IDIwMDENCkBAIC00MDMsOCAr NDAzLDcgQEANCiAJcmV0Y29kZSA9IHBhbV9hdXRoZW50aWNhdGUocGFtaCwg MCk7DQogCWlmIChyZXRjb2RlID09IFBBTV9TVUNDRVNTKSB7DQogCQlpZiAo KHJldGNvZGUgPSBwYW1fZ2V0X2l0ZW0ocGFtaCwgUEFNX1VTRVIsIChjb25z dCB2b2lkICoqKSAmY3ApKSA9PSBQQU1fU1VDQ0VTUykgew0KLQkJCXN0cm5j cHkobG9jdXNlciwgY3AsIHNpemVvZihsb2N1c2VyKSk7DQotCQkJbG9jdXNl cltzaXplb2YobG9jdXNlcikgLSAxXSA9ICdcMCc7DQorCQkJc3RybGNweShs b2N1c2VyLCBjcCwgc2l6ZW9mKGxvY3VzZXIpLTEpOw0KIAkJfSBlbHNlDQog CQkJc3lzbG9nKExPR19FUlJ8TE9HX0FVVEgsICJwYW1fZ2V0X2l0ZW0oUEFN X1VTRVIpOiAlcyIsDQogCQkJICAgICAgIHBhbV9zdHJlcnJvcihwYW1oLCBy ZXRjb2RlKSk7DQpAQCAtNDY2LDkgKzQ2NSw3IEBADQogCWlmIChsYyAhPSBO VUxMICYmIGZyb21wLT5zdV9mYW1pbHkgPT0gQUZfSU5FVCkgewkvKlhYWCov DQogCQljaGFyCXJlbW90ZV9pcFtNQVhIT1NUTkFNRUxFTl07DQogDQotCQlz dHJuY3B5KHJlbW90ZV9pcCwgbnVtZXJpY25hbWUsDQotCQkJc2l6ZW9mKHJl bW90ZV9pcCkgLSAxKTsNCi0JCXJlbW90ZV9pcFtzaXplb2YocmVtb3RlX2lw KSAtIDFdID0gMDsNCisJCXN0cmxjcHkocmVtb3RlX2lwLCBudW1lcmljbmFt ZSwgc2l6ZW9mKHJlbW90ZV9pcCkgLSAxKTsNCiAJCWlmICghYXV0aF9ob3N0 b2sobGMsIGZyb21ob3N0LCByZW1vdGVfaXApKSB7DQogCQkJc3lzbG9nKExP R19JTkZPfExPR19BVVRILA0KIAkJCSAgICAiJXNAJXMgYXMgJXM6IHBlcm1p c3Npb24gZGVuaWVkICglcykuIGNtZD0nJS44MHMnIiwNCg== --0-814884151-998056117=:7968-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 17 16:57:37 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 6EC6E37B406 for ; Fri, 17 Aug 2001 16:57:27 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.3) id f7I0JDL42869; Fri, 17 Aug 2001 20:19:13 -0400 (EDT) (envelope-from mike) Date: Fri, 17 Aug 2001 20:19:13 -0400 From: Mike Barcroft To: "Andrew R. Reiter" Cc: audit@FreeBSD.org Subject: Re: rshd.c diff [openbsd updates] Message-ID: <20010817201913.A42780@coffee.q9media.com> Mail-Followup-To: Mike Barcroft , "Andrew R. Reiter" , audit@FreeBSD.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from arr@watson.org on Fri, Aug 17, 2001 at 09:48:37AM -0400 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Aug 17, 2001 at 09:48:37AM -0400, Andrew R. Reiter wrote: > Patch for moving strncpy's to strlcpy's is attached... And can also be > found at: > > http://www.watson.org/fbsd-audit/libexec/rshd/rshd.c.08172001.diff [...] > - strncpy(locuser, cp, sizeof(locuser)); > - locuser[sizeof(locuser) - 1] = '\0'; > + strlcpy(locuser, cp, sizeof(locuser)-1); [...] Why are you removing an extra character here? Also, it might be usefully to check the return value of strlcpy(3) and error out. I haven't actually looked at the code, so I'm not sure. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 18 19: 3:45 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id 24AEE37B405 for ; Sat, 18 Aug 2001 19:03:41 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 286B566D3E; Sat, 18 Aug 2001 19:03:40 -0700 (PDT) Date: Sat, 18 Aug 2001 19:03:40 -0700 From: Kris Kennaway To: audit@FreeBSD.org Subject: [art@cvs.openbsd.org: CVS: cvs.openbsd.org: src] Message-ID: <20010818190339.A76832@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Anyone up for porting this? Kris ----- Forwarded message from Artur Grabowski ----- Delivered-To: kkenn@localhost.obsecurity.org Delivered-To: kris@freebsd.org Date: Fri, 17 Aug 2001 21:32:16 -0600 (MDT) From: Artur Grabowski To: source-changes@cvs.openbsd.org Subject: CVS: cvs.openbsd.org: src Precedence: bulk Reply-To: Artur Grabowski X-Loop: source-changes@openbsd.org X-UIDL: 2307983f1074b8429d691305aa7c6c5c CVSROOT: /cvs Module name: src Changes by: art@cvs.openbsd.org 2001/08/17 21:32:16 Modified files: sys/kern : kern_exec.c kern_sysctl.c=20 sys/sys : sysctl.h=20 lib/libc/gen : sysctl.3=20 sbin/sysctl : sysctl.8=20 Log message: Add a possibility to add a random offset to the stack on exec. This makes it slightly harder to write generic buffer overflows. This doesn't really give any real security, but it raises the bar for script-kiddies and it's really cheap. The range of the random offsets is controlled by the sysctl kern.stackgap_random (must be a power of 2). This is disabled by default right now, but we'll set it to a reasonable val= ue (1024?) soon, after some more testing. ----- End forwarded message ----- --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7fx57Wry0BWjoQKURAjV+AKCMj3ML0yx2BWZLXb5dedermklLPgCg2aX2 zMIMPRMjPKQr/NwavqkOw1w= =JQ8h -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 18 22:13: 8 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id 86F2F37B406 for ; Sat, 18 Aug 2001 22:12:59 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id BC39C66D3E; Sat, 18 Aug 2001 22:12:58 -0700 (PDT) Date: Sat, 18 Aug 2001 22:12:58 -0700 From: Kris Kennaway To: audit@FreeBSD.org Subject: Checking issetugid() with getenv() in libraries Message-ID: <20010818221258.A79194@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There were a number of places where library routines blindly use getenv() in ways which may be insecure if called from setugid code. Please review the following. I also changed the uthread_info.c to respect TMPDIR if !issetugid() instead of dumping to /tmp always. Kris Index: libc/db/test/dbtest.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v retrieving revision 1.4 diff -u -r1.4 dbtest.c --- libc/db/test/dbtest.c 2000/08/04 10:50:21 1.4 +++ libc/db/test/dbtest.c 2001/08/19 04:25:47 @@ -155,7 +155,8 @@ * want it around, and it often screws up tests. */ if (fname =3D=3D NULL) { - p =3D getenv("TMPDIR"); + if (issetugid() =3D=3D 0) + p =3D getenv("TMPDIR"); if (p =3D=3D NULL) p =3D "/var/tmp"; (void)snprintf(buf, sizeof(buf), "%s/__dbtest", p); Index: libc/gen/exec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v retrieving revision 1.16 diff -u -r1.16 exec.c --- libc/gen/exec.c 2001/01/24 12:59:21 1.16 +++ libc/gen/exec.c 2001/08/19 04:25:23 @@ -224,7 +224,7 @@ } =20 /* Get the path we're searching. */ - if (!(path =3D getenv("PATH"))) + if (issetugid() !=3D 0 || !(path =3D getenv("PATH"))) path =3D _PATH_DEFPATH; cur =3D alloca(strlen(path) + 1); if (cur =3D=3D NULL) { Index: libc/rpc/getnetpath.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v retrieving revision 1.1 diff -u -r1.1 getnetpath.c --- libc/rpc/getnetpath.c 2001/03/19 12:49:51 1.1 +++ libc/rpc/getnetpath.c 2001/08/19 04:35:18 @@ -105,7 +105,7 @@ } np_sessionp->valid =3D NP_VALID; np_sessionp->ncp_list =3D NULL; - if ((npp =3D getenv(NETPATH)) =3D=3D NULL) { + if (issetugid() !=3D 0 || (npp =3D getenv(NETPATH)) =3D=3D NULL) { np_sessionp->netpath =3D NULL; } else { (void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/ Index: libc/stdio/tmpfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v retrieving revision 1.6 diff -u -r1.6 tmpfile.c --- libc/stdio/tmpfile.c 2001/07/07 04:08:32 1.6 +++ libc/stdio/tmpfile.c 2001/08/19 04:19:53 @@ -61,7 +61,8 @@ char *buf; const char *tmpdir; =20 - tmpdir =3D getenv("TMPDIR"); + if (issetugid() =3D=3D 0) + tmpdir =3D getenv("TMPDIR"); if (tmpdir =3D=3D NULL) tmpdir =3D _PATH_TMP; =20 Index: libc_r/uthread/uthread_info.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v retrieving revision 1.19 diff -u -r1.19 uthread_info.c --- libc_r/uthread/uthread_info.c 2001/04/10 04:19:20 1.19 +++ libc_r/uthread/uthread_info.c 2001/05/28 22:08:44 @@ -31,13 +31,14 @@ * * $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.19 2001/04/10 04:19= :20 deischen Exp $ */ +#include +#include #include #include -#include #include -#include +#include #include -#include +#include #include "pthread_private.h" =20 #ifndef NELEMENTS @@ -85,15 +86,21 @@ int fd; int i; pthread_t pthread; - char tmpfile[128]; + char *tmpdir; + char tmpfile[PATH_MAX]; pq_list_t *pq_list; =20 + tmpdir =3D NULL; + if (issetugid() =3D=3D 0) + tmpdir =3D getenv("TMPDIR"); + if (tmpdir =3D=3D NULL) + tmpdir =3D _PATH_TMP; for (i =3D 0; i < 100000; i++) { - snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i", - getpid(), i); + snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i", + tmpdir, getpid(), i); /* Open the dump file for append and create it if necessary: */ if ((fd =3D __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL, - 0666)) < 0) { + 0644)) < 0) { /* Can't open the dump file. */ if (errno =3D=3D EEXIST) continue; Index: libcompat/4.3/rexec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v retrieving revision 1.6 diff -u -r1.6 rexec.c --- libcompat/4.3/rexec.c 2000/08/04 11:15:48 1.6 +++ libcompat/4.3/rexec.c 2001/08/19 04:54:58 @@ -145,6 +145,8 @@ int t, i, c, usedefault =3D 0; struct stat stb; =20 + if (issetugid() !=3D 0) + return (0); /* Don't read .netrc */ hdir =3D getenv("HOME"); if (hdir =3D=3D NULL) hdir =3D "."; Index: libncp/ncpl_rcfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v retrieving revision 1.3 diff -u -r1.3 ncpl_rcfile.c --- libncp/ncpl_rcfile.c 2000/05/26 02:00:20 1.3 +++ libncp/ncpl_rcfile.c 2001/08/19 04:52:39 @@ -390,7 +390,8 @@ char *home, *fn; int error; =20 - home =3D getenv("HOME"); + if (issetugid() =3D=3D 0) + home =3D getenv("HOME"); if (home) { fn =3D malloc(strlen(home) + 20); sprintf(fn, "%s/.nwfsrc", home); Index: libss/pager.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libss/pager.c,v retrieving revision 1.5 diff -u -r1.5 pager.c --- libss/pager.c 2000/12/09 09:35:33 1.5 +++ libss/pager.c 2001/08/19 04:56:47 @@ -81,7 +81,7 @@ sigsetmask(mask); } if (_ss_pager_name =3D=3D (char *)NULL) { - if ((_ss_pager_name =3D getenv("PAGER")) =3D=3D (char *)NULL) + if (issetugid() !=3D0 || (_ss_pager_name =3D getenv("PAGER")) =3D=3D (ch= ar *)NULL) _ss_pager_name =3D MORE; } (void) execlp(_ss_pager_name, _ss_pager_name, (char *) NULL); --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7f0rZWry0BWjoQKURAl4GAKCpRirZxSivGKofcK3KE8FleLC/pACgxxkn bADUshcl3FDEuqbu6HAgvog= =0C9n -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 18 22:28:50 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id F40D337B405 for ; Sat, 18 Aug 2001 22:28:46 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6814366D3E; Sat, 18 Aug 2001 22:28:46 -0700 (PDT) Date: Sat, 18 Aug 2001 22:28:46 -0700 From: Kris Kennaway To: Kris Kennaway Cc: audit@FreeBSD.org Subject: Re: Checking issetugid() with getenv() in libraries Message-ID: <20010818222846.B79436@xor.obsecurity.org> References: <20010818221258.A79194@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SkvwRMAIpAhPCcCJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010818221258.A79194@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Aug 18, 2001 at 10:12:58PM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --SkvwRMAIpAhPCcCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 18, 2001 at 10:12:58PM -0700, Kris Kennaway wrote: > There were a number of places where library routines blindly use > getenv() in ways which may be insecure if called from setugid code. > Please review the following. >=20 > I also changed the uthread_info.c to respect TMPDIR if !issetugid() > instead of dumping to /tmp always. Another one: Index: ./libdialog/rc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v retrieving revision 1.2 diff -u -r1.2 rc.c --- ./libdialog/rc.c 1994/10/20 21:56:43 1.2 +++ ./libdialog/rc.c 2001/08/19 05:27:47 @@ -103,12 +103,12 @@ * */ =20 - if ((tempptr =3D getenv("DIALOGRC")) !=3D NULL) + if (issetugid() =3D=3D 0 && (tempptr =3D getenv("DIALOGRC")) !=3D NULL) rc_file =3D fopen(tempptr, "rt"); =20 if (tempptr =3D=3D NULL || rc_file =3D=3D NULL) { /* step (a) failed?= */ /* try step (b) */ - if ((tempptr =3D getenv("HOME")) =3D=3D NULL) + if (issetugid() !=3D 0 || (tempptr =3D getenv("HOME")) =3D=3D NULL) return 0; /* step (b) failed, use default values */ =20 if (tempptr[0] =3D=3D '\0' || lastch(tempptr) =3D=3D '/') Kris --SkvwRMAIpAhPCcCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7f06NWry0BWjoQKURAmBkAKCc6DF8pWAjuWQi96p5qsW0o+nk+gCfRcJP cJym2cmXJdJqc245DlkyJMw= =GhKl -----END PGP SIGNATURE----- --SkvwRMAIpAhPCcCJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 18 22:32: 7 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id C18A437B407 for ; Sat, 18 Aug 2001 22:32:04 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4E87066FA8; Sat, 18 Aug 2001 22:32:04 -0700 (PDT) Date: Sat, 18 Aug 2001 22:32:04 -0700 From: Kris Kennaway To: Jon Parise Cc: Kris Kennaway , audit@FreeBSD.org Subject: Re: Checking issetugid() with getenv() in libraries Message-ID: <20010818223204.A79607@xor.obsecurity.org> References: <20010818221258.A79194@xor.obsecurity.org> <20010819012248.B25899@csh.rit.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010819012248.B25899@csh.rit.edu>; from jon@csh.rit.edu on Sun, Aug 19, 2001 at 01:22:49AM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 19, 2001 at 01:22:49AM -0400, Jon Parise wrote: > On Sat, Aug 18, 2001 at 10:12:58PM -0700, Kris Kennaway wrote: >=20 > > Index: libss/pager.c > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > RCS file: /mnt/ncvs/src/lib/libss/pager.c,v > > retrieving revision 1.5 > > diff -u -r1.5 pager.c > > --- libss/pager.c 2000/12/09 09:35:33 1.5 > > +++ libss/pager.c 2001/08/19 04:56:47 > > @@ -81,7 +81,7 @@ > > sigsetmask(mask); > > } > > if (_ss_pager_name =3D=3D (char *)NULL) { > > - if ((_ss_pager_name =3D getenv("PAGER")) =3D=3D (char *)NULL) > > + if (issetugid() !=3D0 || (_ss_pager_name =3D getenv("PAGER")) =3D=3D= (char *)NULL) > ^^^ > Missing a space before the zero (i.e. issetugid() !=3D 0). Oops, thanks. Kris --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7f09TWry0BWjoQKURAtxcAKDXyPdgCiX4B88MVZZQygVIIqKMtQCeKzW3 3ZOSj0xL4KMHTiN1DX+EjqY= =WrXG -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 18 23:58:39 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id C505337B407 for ; Sat, 18 Aug 2001 23:58:34 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 1AA3966D3E; Sat, 18 Aug 2001 23:58:34 -0700 (PDT) Date: Sat, 18 Aug 2001 23:58:33 -0700 From: Kris Kennaway To: ig25@rz.uni-karlsruhe.de, audit@FreeBSD.org Subject: at(1) signal handler fix Message-ID: <20010818235833.A36306@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This patch is adapted from OpenBSD..please review. Kris Index: at.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/usr.bin/at/at.c,v retrieving revision 1.19 diff -u -r1.19 at.c --- at.c 2001/07/24 14:15:51 1.19 +++ at.c 2001/08/19 06:58:02 @@ -113,6 +113,7 @@ char *atinput =3D (char*)0; /* where to get input from */ char atqueue =3D 0; /* which queue to examine for jobs (atq) */ char atverify =3D 0; /* verify time instead of queuing job */ +char *namep; =20 /* Function declarations */ =20 @@ -135,14 +136,23 @@ PRIV_END } =20 - exit(EXIT_FAILURE); + _exit(EXIT_FAILURE); } =20 static void alarmc(int signo) { -/* Time out after some seconds - */ - panic("file locking timed out"); + char buf[1024]; + + /* Time out after some seconds. */ + strlcpy(buf, namep, sizeof(buf)); + strlcat(buf, ": file locking timed out\n", sizeof(buf)); + write(STDERR_FILENO, buf, strlen(buf)); + if (fcreated) { + PRIV_START + unlink(atfile); + PRIV_END + } + _exit(EXIT_FAILURE); } =20 /* Local functions */ @@ -611,6 +621,8 @@ else pgm++; =20 + namep =3D pgm; + /* find out what this program is supposed to do */ if (strcmp(pgm, "atq") =3D=3D 0) { @@ -695,8 +707,9 @@ */ =20 if (disp_version) - fprintf(stderr, "at version " VERSION "\n" - "Bug reports to: ig25@rz.uni-karlsruhe.de (Thomas Koenig)\n"); + fprintf(stderr, "%s version " VERSION "\n" + "Bug reports to: ig25@rz.uni-karlsruhe.de (Thomas Koenig)\n", + namep); =20 /* select our program */ --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7f2OZWry0BWjoQKURAlwPAJoCo1uY+8VNKKhZxkomCzQznGnVCQCfciiX XJWTEXPe4O617GpellZXheM= =q8Xs -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message