Date: Wed, 16 Oct 2002 23:44:22 -0400 From: "Danny J. Zerkel" <dzerkel@columbus.rr.com> To: Robert Watson <rwatson@FreeBSD.ORG>, Terry Lambert <tlambert2@mindspring.com> Cc: Maxim Sobolev <sobomax@FreeBSD.ORG>, "Vladimir B. Grebenschikov,Moscow,408-7227,123-4567,Some-info" <vova@express.ru>, freebsd-arch@FreeBSD.ORG, freebsd-current@FreeBSD.ORG Subject: Re: short uid/gid Message-ID: <200210162344.22969.dzerkel@columbus.rr.com> In-Reply-To: <Pine.NEB.3.96L.1021016125106.24763B-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1021016125106.24763B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 16 October 2002 13:01, Robert Watson wrote:
> On Wed, 16 Oct 2002, Terry Lambert wrote:
> > Robert Watson wrote:
> > > I'm not convinced there's any value to providing the backward
> > > compatibility that has to be asked for: the only benefit to the current
> > > short-based API is that it allow serious security holes while not
> > > following the standard API offered by other platforms (except Linux).
> >
> > The main benefit, to my mind, is standards compliance. The secondary
> > benefit is ABI similarity for the purposes of supporting ABIs to run
> > non-native software (e.g. Linux prior to 2.4).
>
> Could you point me at the standard that indicates these fields should be
> shorts? We're all advocating switching to uid_t/gid_t/id_t here, the only
> question is with regard to compatibility. Platforms such as Solaris
> already use uid_t/gid_t for these fields, and we break portable
> applications because applications assume that uid_t fits into ipc_perm.uid
> (for example).
>
> > Binary backward compatability *demands* that you limit the range of your
> > UIDs and GIDs to what will fit in a uint16_t, just as the recent issue
> > with a pid_t exceeeding this size has damaged binary backward
> > compatability with third party a.out binaries.
>
> This has to do with the size of the field. uid_t and gid_t are 32-bit on
> most relevant platforms, although there are lingering software
> compatibility issues (such as the Sysem V IPC issue). The goal now is to
> correct lingering incompatibilities so that we can properly support these
> ranges.
>
> > > Freshly compiled applications should be using the proper types to
> > > represent uid's and gid's -- if they're not doing that in the existing
> > > code, they'll get truncated to the right size for "bug compatibility".
> > > If they are using the correct size, they'll work correctly. To be able
> > > to run properly on other platforms (vis Solaris), they already should
> > > be using those types.
> >
> > Truncating of oversized values for credentials is Bad(tm), in that what
> > you get is a different credential. The constraint has to be a priori
> > enforced, or it's meaningless.
>
> I think we're in agreement here. Unfortunately, because of the "short"
> uid/gid/cuid/cgid fields, truncation is *already* happening. That's what
> we're trying to fix. If you try to crush a uid_t into ipc_perm.uid on
> FreeBSD, the field is truncated, resulting in a vulnerability. What
> pushing the type checking into the application space does is generate
> warnings for applications making bogus assumptions, and corrects the
> truncation performed by the kernel in the current scenario. I.e., when a
> SysVIPC shm segment is created by a user with a uid that doesn't fit in
> short, the kernel gets it "wrong". The change we're talking about will
> fix the kernel, and make type problems visible to the applications if they
> make incorrect assumptions. Of course, past applications assuming 16-bit
> uids and gids will still be wrong, nothing changes that, but we do fix
> current applications.
>
> > > And it's not like the approach you've described makes it any easier to
> > > implement: you still have to break out the old and new structures since
> > > changing ipc_perm breaks the ABI for all of the System V interfaces,
> > > rewrite the kernel code, etc. You might as well have added the
> > > compatibility system calls since you still have to do all the mapping.
> >
> > His approach avoids the proliferation of system call entry points, which
> > may conflict with those of other BSDs (among other things). BSDI
> > limited the number of available additional FreeBSD system calls in a
> > standardization effort a while back, if you'll remember, so a
> > proliferation of calls is Bad. In addition, the compatability required
> > this proliferation going forward.
>
> I suspect that this may end up being a red herring. You do realize that
> OpenBSD and NetBSD have *already* made precisely the change I am
> describing? Here's the exerpt from OpenBSD's ipc.h:
>
> struct ipc_perm {
> uid_t cuid; /* creator user id */
> gid_t cgid; /* creator group id */
> uid_t uid; /* user id */
> gid_t gid; /* group id */
> mode_t mode; /* r/w permission */
> unsigned short seq; /* sequence # (to generate unique
> msg/sem/shm id) */
> key_t key; /* user specified msg/sem/shm key */
> };
>
> #ifdef _KERNEL
> struct oipc_perm {
> unsigned short cuid; /* creator user id */
> unsigned short cgid; /* creator group id */
> unsigned short uid; /* user id */
> unsigned short gid; /* group id */
> unsigned short mode; /* r/w permission */
> unsigned short seq; /* sequence # (to generate unique
> msg/sem/shm id) */
> key_t key; /* user specified msg/sem/shm key */
> };
> #endif
>
> We're *improve* our compatibility with other BSD platforms by making these
> changes.
>
> > FWIW, I would agree with you, if you were advocating a cross-OS ABI
> > definition of manifest constants, so that FreeBSD's new ABI, and, say,
> > Solaris or Linux's ABI, were more congruent (you could get this without
> > a new sstem call vector entry point, by using a different "ELF brand"
> > value), but that's not what you are advocating.
>
> I'm advocating we adopt pretty much the ABI for these calls that Solaris
> uses. If you inspect their ipc.h, you'll see that they define two
> versions of the structure, ipc_perm, and ipc_perm32. ipc_perm is the
> version that makes use of types such as uid_t and gid_t; ipc_perm32
> hard-codes these fields to 32-bit and can be used for compatibility.
>
> > Also FWIW, my personal preference would be to follow the Solaris ABI;
> > it's the least volatile of all ABI's in this area. In terms of the
> > available applications, Linux is probably a better choice, but in terms
> > of the amount of maintenance work required, Solaris is far and away the
> > leader.
>
> We already have the SysVIPC wrappers for the Linux code, but those are
> actually broken because they don't take into account our truncation bugs.
>
> Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
> robert@fledge.watson.org Network Associates Laboratories
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-current" in the body of the message
To quote the POSIX standard:
The ipc_perm structure shall contain the following members:
uid_t uid Owner's user ID.
gid_t gid Owner's group ID.
uid_t cuid Creator's user ID.
gid_t cgid Creator's group ID.
mode_t mode Read/write permission.
I don't think size is an issue. At least not within a given machine.
I think OpenBSD and NetBSD have already taken the correct path.
We just need to have a compatibility interface (automatic extra
flag: pretty cheap; or alternate syscalls: probably a waste).
Danny J. Zerkel
dzerkel@columbus.rr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210162344.22969.dzerkel>