Date: Sun, 22 Nov 1998 21:41:27 +0000 From: dmlb@ragnet.demon.co.uk To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: dmlb@ragnet.demon.co.uk Subject: kern/8802: Security fix to mount_portal/pt_tcp.c Message-ID: <E0zhhG2-0000l4-00@ragnet.demon.co.uk>
next in thread | raw e-mail | index | archive | help
>Number: 8802 >Category: kern >Synopsis: Users can obtain a bound privaliged TCP port using portal >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Nov 22 15:00:00 PST 1998 >Last-Modified: >Originator: Duncan Barclay >Organization: >Release: FreeBSD 2.2.6-RELEASE i386 and FreeBSD 3.0-CURRENT >Environment: Any FreeBSD box using the portal FS. >Description: The default configuration of the portal filesystem allows any user to obtain a TCP socket bound to a privilaged port address. Also, I give up root privs. around the connect, this may be bogus though. >How-To-Repeat: # mount_portal /etc/portal.conf /p # read </p/tcp/localhost/1000/priv >Fix: Diff's below fix these problems. These are against the version of sbin/mount_portal/pt_tcp.c I submitted in kern/8793 for -stable. The diff applies fine to the patches I sent in against current too. --- pt_tcp.c~ Sun Nov 22 15:20:52 1998 +++ pt_tcp.c Sun Nov 22 21:30:07 1998 @@ -55,11 +55,9 @@ #include "portald.h" /* - * Key will be tcp/host/port[/"priv"] + * Key will be tcp/host/port * Create a TCP socket connected to the * requested host and port. - * Some trailing suffix values have special meanings. - * An unrecognized suffix is an error. */ int portal_tcp(pcr, key, v, kso, fdp) struct portal_cred *pcr; @@ -78,7 +76,6 @@ struct in_addr *ip[2]; struct in_addr ina; u_short s_port; - int priv = 0; struct sockaddr_in sain; q = strchr(p, '/'); @@ -94,17 +91,6 @@ if (strlen(p) >= sizeof(port)) return (EINVAL); strcpy(port, p); - if (q) { - p = q + 1; - if (strcmp(p, "priv") == 0) { - if (pcr->pcr_uid == 0) - priv = 1; - else - return (EPERM); - } else { - return (EINVAL); - } - } hp = gethostbyname(host); if (hp != 0) { @@ -142,20 +128,20 @@ while (ipp[0]) { int so; - if (priv) - so = rresvport((int *) 0); - else - so = socket(AF_INET, SOCK_STREAM, 0); + so = socket(AF_INET, SOCK_STREAM, 0); if (so < 0) { syslog(LOG_ERR, "socket: %m"); return (errno); } sain.sin_addr = *ipp[0]; + setuid(pcr->pcr_uid); if (connect(so, (struct sockaddr *) &sain, sizeof(sain)) == 0) { + setuid(geteuid()); /* XXX getuid? */ *fdp = so; return (0); } + setuid(geteuid()); /* XXX getuid? */ (void) close(so); ipp++; >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0zhhG2-0000l4-00>