Date: Fri, 19 Apr 2002 12:25:12 +0100 From: Brian Somers <brian@freebsd-services.com> To: Garrett Wollman <wollman@lcs.mit.edu> Cc: "J. Mallett" <jmallett@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@freebsd-services.com Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys filedesc.h Message-ID: <200204191125.g3JBPCSg072782@hak.lan.Awfulhak.org> In-Reply-To: Message from Garrett Wollman <wollman@lcs.mit.edu> of "Fri, 19 Apr 2002 00:14:26 EDT." <200204190414.g3J4EQH69597@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> <<On Fri, 19 Apr 2002 03:26:11 +0000, "J. Mallett" <jmallett@FreeBSD.ORG> said:
>
> > If you know the codepath of a program, you can close a number of file
> > descriptors, and ones specifically for reading or writing, and without fail
> > cause corruption of a file, dump information of your choice into a file,
> > or cause information to be incorrectly read from a file.
>
> Any privileged process which blindly trusts its file descriptors to
> not be closed is seriously broken.
>
> It's not clear whether POSIX allows this behavior. I've submitted an
> aardvark requesting clarification.
I agree with Garrett. This change is *very* broken.
Warner said:
: The setuid program opens up some file that the user wouldn't
: otherwise be able to open. It gets fd 2. Now after this
: point the program does a write to stderr because of some
: error. Often times the user affect the output. If the setuid
: program uses err(), and the file in question is
: /etc/master.passwd, one could set argv[0] that looks like a
: password line with a uid of 0. Then the user could change
: his/her password and get root.
Agreed, a program that does this is broken, but I believe the program
needs to be fixed, not the kernel.
Also, you've broken syntax such as ``sh prog 2>&-''.
Garrett said:
: fd = open(...)
: close(1);
: dup(fd);
:
: and have it work. (These programs are broken anyway -- the Standard
: does not guarantee any particular order of fd allocation.)
From dup(2):
Dup() duplicates an existing object descriptor and returns its value to
the calling process (newd = dup(oldd)). The argument oldd is a small
non-negative integer index in the per-process descriptor table. The
value must be less than the size of the table, which is returned by
getdtablesize(2). The new descriptor returned by the call is the lowest
numbered descriptor currently not in use by the process.
Even if the standard doesn't guarantee the lowest descriptor, our man
pages do (as do NetBSD and OpenBSD's).
> -GAWollman
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204191125.g3JBPCSg072782>