Date: Wed, 22 May 2002 21:23:58 +0200 (CEST) From: Stephanie Wehner <_@r4k.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/38429: [PATCH] getgpid and getsid work for processes outside the current jail Message-ID: <200205221923.g4MJNwXr087495@shell.r4k.net>
next in thread | raw e-mail | index | archive | help
>Number: 38429
>Category: kern
>Synopsis: [PATCH] getgpid and getsid work for processes outside the current jail
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 22 12:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Stephanie Wehner
>Release: FreeBSD 4.6-RC i386
>Organization:
>Environment:
>Description:
It is possible to obtain the process group id and the session id
of processes running outside the current jail. This is due to the
fact that getsid and getgpid in sys/kern/kern_prot.c do not check
if the pid that is found is within the current jail.
It is also possible to check for the existance of a process with a
certain pid using inconsitencies in error messages. Eg ps will simply
return nothing if queried for a certain pid. Kill, or ktrace for example
will however give EPERM instead of ESRCH if the process exists but is
not within the current jail. This is not included in this patch,
as I wasn't sure how you want to handle this. I'll mail about it to
freebsd-security
>How-To-Repeat:
run this inside a jail with a pid of a process outside the jail
/*
* small prog to test for the existance of a given process id
* outside the current jail, using both getsid and getgpid for
* demonstration purposes.
* - <_@r4k.net>
*/
#include <stdio.h>
#include <unistd.h>
int main(int argc, char **argv) {
pid_t pid,gpid,spid;
if(argv[1] == NULL) {
fprintf(stderr,"Usage: checkpid [pid]\n");
exit(-1);
}
pid = atoi(argv[1]);
if((spid = getsid(pid)) < 0) {
perror("getsid:");
exit(-1);
}
if((gpid = getpgid(pid)) < 0) {
perror("getsid:");
exit(-1);
}
printf("Session id is %d\n",spid);
printf("Process group is %d\n",gpid);
}
>Fix:
Please note that this fix returns ESRCH when the process is not found
and not EPERM, as if the process wouldn't exist at all.
*** sys/kern/kern_prot.c.old Tue May 21 22:49:19 2002
--- sys/kern/kern_prot.c Tue May 21 23:47:17 2002
***************
*** 137,142 ****
--- 137,150 ----
if ((pt = pfind(uap->pid)) == 0)
return ESRCH;
+
+ /*
+ * return ESRCH as if the process was non existant
+ * if it is jailed off
+ */
+
+ if (!PRISON_CHECK(curproc, pt))
+ return ESRCH;
found:
p->p_retval[0] = pt->p_pgrp->pg_id;
return 0;
***************
*** 164,169 ****
--- 172,185 ----
if ((pt = pfind(uap->pid)) == 0)
return ESRCH;
+
+ /*
+ * return ESRCH as if the process was non existant
+ * if it is jailed off
+ */
+
+ if (!PRISON_CHECK(curproc, pt))
+ return ESRCH;
found:
p->p_retval[0] = pt->p_session->s_sid;
return 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
also, exsitance of a process with a certain pid can be verified
>System: FreeBSD beyond.r4k.net 4.6-RC FreeBSD 4.6-RC #5: Wed May 22 11:02:24 CEST 2002 atrak@beyond.r4k.net:/usr/src/sys/compile/BEYOND i386
fbsd RC6 as of monday 20/05/02
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205221923.g4MJNwXr087495>