Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Nov 1999 16:35:51 -0700
From:      Warner Losh <imp@village.org>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        Kris Kennaway <kris@hub.freebsd.org>, Dan Moschuk <dan@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h 
Message-ID:  <199911292335.QAA97810@harmony.village.org>
In-Reply-To: Your message of "Mon, 29 Nov 1999 14:39:46 PST." <199911292239.OAA11977@apollo.backplane.com> 
References:  <199911292239.OAA11977@apollo.backplane.com>  <Pine.BSF.4.21.9911291431310.19254-100000@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <199911292239.OAA11977@apollo.backplane.com> Matthew Dillon writes:
:     Not really.  Example:  fork/exec an suid program.  You now know what
:     the pid is (the return valud of the fork).  There is no need to guess,
:     and a randomized pid won't help you.  In fact, you can TSTP the program
:     relatively easily since you are probably still the controlling terminal.
:     You can effectively exploit the window even without TSTPing or STOPing
:     the program.
: 
:     The only time a randomized pid would help you is with historical 
:     cron root-run code.  But all of those holes have been fixed (we believe).

I don't think this is true.  There are tmp file races with things like
gcc which would allow one to insert arbitrary code into a file being
compile, should one wish to do so and can guess things.  At least
there used to be, I don't know if this is the case still.  When you
are racing others on the system w/o this change you had a small range
of pids to choose from.  After this change there is a large range.
some of the races are to overwrite an arbitrary file on the system,
while others are to provide bad data to a process running under a
different uid to do bad things to that uid...

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911292335.QAA97810>