Date: Sun, 22 Nov 1998 21:41:27 +0000 From: dmlb@ragnet.demon.co.uk To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: dmlb@ragnet.demon.co.uk Subject: kern/8802: Security fix to mount_portal/pt_tcp.c Message-ID: <E0zhhG2-0000l4-00@ragnet.demon.co.uk>
next in thread | raw e-mail | index | archive | help
>Number: 8802
>Category: kern
>Synopsis: Users can obtain a bound privaliged TCP port using portal
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Nov 22 15:00:00 PST 1998
>Last-Modified:
>Originator: Duncan Barclay
>Organization:
>Release: FreeBSD 2.2.6-RELEASE i386 and FreeBSD 3.0-CURRENT
>Environment:
Any FreeBSD box using the portal FS.
>Description:
The default configuration of the portal filesystem allows any
user to obtain a TCP socket bound to a privilaged port address.
Also, I give up root privs. around the connect, this may be
bogus though.
>How-To-Repeat:
# mount_portal /etc/portal.conf /p
# read </p/tcp/localhost/1000/priv
>Fix:
Diff's below fix these problems. These are against the
version of sbin/mount_portal/pt_tcp.c I submitted in kern/8793
for -stable. The diff applies fine to the patches I sent in
against current too.
--- pt_tcp.c~ Sun Nov 22 15:20:52 1998
+++ pt_tcp.c Sun Nov 22 21:30:07 1998
@@ -55,11 +55,9 @@
#include "portald.h"
/*
- * Key will be tcp/host/port[/"priv"]
+ * Key will be tcp/host/port
* Create a TCP socket connected to the
* requested host and port.
- * Some trailing suffix values have special meanings.
- * An unrecognized suffix is an error.
*/
int portal_tcp(pcr, key, v, kso, fdp)
struct portal_cred *pcr;
@@ -78,7 +76,6 @@
struct in_addr *ip[2];
struct in_addr ina;
u_short s_port;
- int priv = 0;
struct sockaddr_in sain;
q = strchr(p, '/');
@@ -94,17 +91,6 @@
if (strlen(p) >= sizeof(port))
return (EINVAL);
strcpy(port, p);
- if (q) {
- p = q + 1;
- if (strcmp(p, "priv") == 0) {
- if (pcr->pcr_uid == 0)
- priv = 1;
- else
- return (EPERM);
- } else {
- return (EINVAL);
- }
- }
hp = gethostbyname(host);
if (hp != 0) {
@@ -142,20 +128,20 @@
while (ipp[0]) {
int so;
- if (priv)
- so = rresvport((int *) 0);
- else
- so = socket(AF_INET, SOCK_STREAM, 0);
+ so = socket(AF_INET, SOCK_STREAM, 0);
if (so < 0) {
syslog(LOG_ERR, "socket: %m");
return (errno);
}
sain.sin_addr = *ipp[0];
+ setuid(pcr->pcr_uid);
if (connect(so, (struct sockaddr *) &sain, sizeof(sain)) == 0) {
+ setuid(geteuid()); /* XXX getuid? */
*fdp = so;
return (0);
}
+ setuid(geteuid()); /* XXX getuid? */
(void) close(so);
ipp++;
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0zhhG2-0000l4-00>