From owner-freebsd-audit Mon Jul 30 10:23: 7 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.chem.msu.ru (mail.chem.msu.ru [195.208.208.19]) by hub.freebsd.org (Postfix) with ESMTP id 982C337B401; Mon, 30 Jul 2001 10:23:03 -0700 (PDT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su ([158.250.32.97]) by mail.chem.msu.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NHPRW1G1; Mon, 30 Jul 2001 21:15:07 +0400 Received: (from yar@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id f6UHMvS44905; Mon, 30 Jul 2001 21:22:57 +0400 (MSD) (envelope-from yar) Date: Mon, 30 Jul 2001 21:22:57 +0400 From: Yar Tikhiy To: Mike Barcroft Cc: audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010730212257.C26476@comp.chem.msu.su> References: <20010728155159.A35483@snark.rinet.ru> <20010728144554.C86837@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010728144554.C86837@coffee.q9media.com>; from mike@FreeBSD.ORG on Sat, Jul 28, 2001 at 02:45:54PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Jul 28, 2001 at 02:45:54PM -0400, Mike Barcroft wrote: > > [...] > > if (access(buf, F_OK) == 0) > > return 1; > [...] > > I know this isn't your code, but this should also probably use open(2) > as well. First, I must have missed something, but why is access(2) a bad thing at this particular point? Second, open(2) can't be used as a drop-in replacement for access(.., F_OK) here because it can't tell permission errors on a directory from those on a file itself. IMHO stat(2) should be used here if the historical behaviour of finger(1) is to be preserved. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Jul 30 10:25:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.chem.msu.ru (mail.chem.msu.ru [195.208.208.19]) by hub.freebsd.org (Postfix) with ESMTP id EEF4F37B403 for ; Mon, 30 Jul 2001 10:25:11 -0700 (PDT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su ([158.250.32.97]) by mail.chem.msu.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NHPRW1G2; Mon, 30 Jul 2001 21:17:17 +0400 Received: (from yar@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id f6UHOmi44921; Mon, 30 Jul 2001 21:24:48 +0400 (MSD) (envelope-from yar) Date: Mon, 30 Jul 2001 21:24:48 +0400 From: Yar Tikhiy To: Dima Dorfman Cc: audit@freebsd.org Subject: Re: finger(1) & fingerd(8) Message-ID: <20010730212447.D26476@comp.chem.msu.su> References: <20010728155159.A35483@snark.rinet.ru> <20010728123013.E88223E2F@bazooka.unixfreak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010728123013.E88223E2F@bazooka.unixfreak.org>; from dima@unixfreak.org on Sat, Jul 28, 2001 at 05:30:08AM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Jul 28, 2001 at 05:30:08AM -0700, Dima Dorfman wrote: > > > > Another way is not to do the bad thing by default. Any comments? > > This is just a review list, so it isn't the right place to propose > something like this. -arch or -hackers would be better. Sorry, I'll keep it in mind. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Jul 30 11: 1:46 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (unknown [217.75.135.189]) by hub.freebsd.org (Postfix) with SMTP id 4634937B409 for ; Mon, 30 Jul 2001 11:01:40 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 15462 invoked by uid 1000); 30 Jul 2001 18:00:34 -0000 Date: Mon, 30 Jul 2001 21:00:33 +0300 From: Peter Pentchev To: Yar Tikhiy Cc: Mike Barcroft , audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010730210033.A15213@ringworld.oblivion.bg> Mail-Followup-To: Yar Tikhiy , Mike Barcroft , audit@FreeBSD.ORG References: <20010728155159.A35483@snark.rinet.ru> <20010728144554.C86837@coffee.q9media.com> <20010730212257.C26476@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730212257.C26476@comp.chem.msu.su>; from yar@FreeBSD.ORG on Mon, Jul 30, 2001 at 09:22:57PM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 30, 2001 at 09:22:57PM +0400, Yar Tikhiy wrote: > On Sat, Jul 28, 2001 at 02:45:54PM -0400, Mike Barcroft wrote: > > > > [...] > > > if (access(buf, F_OK) == 0) > > > return 1; > > [...] > > > > I know this isn't your code, but this should also probably use open(2) > > as well. > > First, I must have missed something, but why is access(2) > a bad thing at this particular point? I think there have been some grumblings about access(2) in general, and some other grumblings about programs trying to second-guess the kernel in determining access permissions. However, that would apply more to the case where a program was e.g. testing getuid() == 0 instead of just attempting a bind() to a privileged port; in this particular case, both access(2) and open(2) are system calls which should have the same idea about permissions, ACL's and such. But the first point still remains - I can't remember exactly what the grumblings about access(2) were, but I seem to remember that there *were* some. G'luck, Peter -- This sentence was in the past tense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Jul 30 11:27:10 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id A806737B401; Mon, 30 Jul 2001 11:26:55 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f6UIjgC92144; Mon, 30 Jul 2001 14:45:42 -0400 (EDT) (envelope-from mike) Date: Mon, 30 Jul 2001 14:45:42 -0400 From: Mike Barcroft To: Yar Tikhiy Cc: audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010730144542.A92125@coffee.q9media.com> References: <20010728155159.A35483@snark.rinet.ru> <20010728144554.C86837@coffee.q9media.com> <20010730212257.C26476@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730212257.C26476@comp.chem.msu.su>; from yar@FreeBSD.ORG on Mon, Jul 30, 2001 at 09:22:57PM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 30, 2001 at 09:22:57PM +0400, Yar Tikhiy wrote: > On Sat, Jul 28, 2001 at 02:45:54PM -0400, Mike Barcroft wrote: > > > > [...] > > > if (access(buf, F_OK) == 0) > > > return 1; > > [...] > > > > I know this isn't your code, but this should also probably use open(2) > > as well. > > First, I must have missed something, but why is access(2) > a bad thing at this particular point? There probably aren't any security problems with the use of access(2) in this code. That is, I don't see any race conditions. But to my understanding, use of access(2) is discouraged. From the access(2) man page: CAVEAT Access() is a potential security hole and should never be used. > Second, open(2) can't be used as a drop-in replacement for access(.., > F_OK) here because it can't tell permission errors on a directory from > those on a file itself. IMHO stat(2) should be used here if the > historical behaviour of finger(1) is to be preserved. I'm afraid I don't understand what you mean. How does access(buf, F_OK) differ from open(buf, O_RDONLY) in terms of permissions in this case? From the access(2) man page: All components of the pathname path are checked for access permissions (including F_OK). Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Jul 30 11:41:18 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id D906C37B403; Mon, 30 Jul 2001 11:41:13 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15RHzc-0000ZE-00; Mon, 30 Jul 2001 20:42:16 +0200 From: Sheldon Hearn To: Mike Barcroft Cc: Yar Tikhiy , audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) In-reply-to: Your message of "Mon, 30 Jul 2001 14:45:42 -0400." <20010730144542.A92125@coffee.q9media.com> Date: Mon, 30 Jul 2001 20:42:16 +0200 Message-ID: <2183.996518536@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 30 Jul 2001 14:45:42 -0400, Mike Barcroft wrote: > I'm afraid I don't understand what you mean. How does > access(buf, F_OK) differ from open(buf, O_RDONLY) in terms of > permissions in this case? From the access(2) man page: Are you sure access(2) checks read-only filesystems? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jul 31 2:51:20 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.chem.msu.ru (mail.chem.msu.ru [195.208.208.19]) by hub.freebsd.org (Postfix) with ESMTP id 81BB737B401; Tue, 31 Jul 2001 02:51:17 -0700 (PDT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su ([158.250.32.97]) by mail.chem.msu.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NHPRW1VW; Tue, 31 Jul 2001 13:43:33 +0400 Received: (from yar@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id f6V9osK32422; Tue, 31 Jul 2001 13:50:54 +0400 (MSD) (envelope-from yar) Date: Tue, 31 Jul 2001 13:50:54 +0400 From: Yar Tikhiy To: Sheldon Hearn Cc: Mike Barcroft , audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010731135054.A30628@comp.chem.msu.su> References: <20010730144542.A92125@coffee.q9media.com> <2183.996518536@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <2183.996518536@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Mon, Jul 30, 2001 at 08:42:16PM +0200 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 30, 2001 at 08:42:16PM +0200, Sheldon Hearn wrote: > > On Mon, 30 Jul 2001 14:45:42 -0400, Mike Barcroft wrote: > > > I'm afraid I don't understand what you mean. How does > > access(buf, F_OK) differ from open(buf, O_RDONLY) in terms of > > permissions in this case? From the access(2) man page: > > Are you sure access(2) checks read-only filesystems? I've just checked that. Yes, it does. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jul 31 2:53: 4 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id B957537B401; Tue, 31 Jul 2001 02:53:00 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.31 #1) id 15RWE0-0000NI-00; Tue, 31 Jul 2001 11:54:04 +0200 From: Sheldon Hearn To: Yar Tikhiy Cc: Mike Barcroft , audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) In-reply-to: Your message of "Tue, 31 Jul 2001 13:50:54 +0400." <20010731135054.A30628@comp.chem.msu.su> Date: Tue, 31 Jul 2001 11:54:04 +0200 Message-ID: <1443.996573244@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 31 Jul 2001 13:50:54 +0400, Yar Tikhiy wrote: > > Are you sure access(2) checks read-only filesystems? > > I've just checked that. Yes, it does. Okay, I think perhaps my superstition comes from real issues with access(1) vs test(1) rather than any issues with access(2) vs open(2). Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jul 31 3:43:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mail.chem.msu.ru (mail.chem.msu.ru [195.208.208.19]) by hub.freebsd.org (Postfix) with ESMTP id 5760837B401; Tue, 31 Jul 2001 03:43:48 -0700 (PDT) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su ([158.250.32.97]) by mail.chem.msu.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NHPRW1X8; Tue, 31 Jul 2001 14:36:12 +0400 Received: (from yar@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id f6VAhjr36954; Tue, 31 Jul 2001 14:43:45 +0400 (MSD) (envelope-from yar) Date: Tue, 31 Jul 2001 14:43:45 +0400 From: Yar Tikhiy To: Mike Barcroft Cc: audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010731144344.B30628@comp.chem.msu.su> References: <20010728155159.A35483@snark.rinet.ru> <20010728144554.C86837@coffee.q9media.com> <20010730212257.C26476@comp.chem.msu.su> <20010730144542.A92125@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010730144542.A92125@coffee.q9media.com>; from mike@FreeBSD.ORG on Mon, Jul 30, 2001 at 02:45:42PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 30, 2001 at 02:45:42PM -0400, Mike Barcroft wrote: > On Mon, Jul 30, 2001 at 09:22:57PM +0400, Yar Tikhiy wrote: > > On Sat, Jul 28, 2001 at 02:45:54PM -0400, Mike Barcroft wrote: > > > > > > [...] > > > > if (access(buf, F_OK) == 0) > > > > return 1; > > > [...] > > > > > > I know this isn't your code, but this should also probably use open(2) > > > as well. > > > > First, I must have missed something, but why is access(2) > > a bad thing at this particular point? > > There probably aren't any security problems with the use of access(2) > in this code. That is, I don't see any race conditions. But to my > understanding, use of access(2) is discouraged. From the access(2) > man page: > > CAVEAT > Access() is a potential security hole and should never be used. IMHO this caveat is akin to a memorable quote from an article on the Daemon News: "One of the differences between FreeBSD and NetBSD is that the former needs quoting parameter values in rc.conf, and the latter need not". I mean they both push people along the easiest, but thoughtless route. The actual problem about access(2) is not in programmer's unawareness of races, but in the syscall's design itself. It was intended to be a way to check a file against real user credentials instead of effective ones. And it turned out a Really Bad Way of doing that. Ugh, what I did was convinced myself that access(2) shouldn't be used, but the argument was not security, but the risk of getting access(2) obsolete one day, as it already happened to creat(2) :-) > > Second, open(2) can't be used as a drop-in replacement for access(.., > > F_OK) here because it can't tell permission errors on a directory from > > those on a file itself. IMHO stat(2) should be used here if the > > historical behaviour of finger(1) is to be preserved. > > I'm afraid I don't understand what you mean. How does > access(buf, F_OK) differ from open(buf, O_RDONLY) in terms of > permissions in this case? From the access(2) man page: > > All components of the pathname path are checked for access > permissions (including F_OK). Don't believe newspapers and manpages blindly ;-) Access(..., F_OK) returns 0 if a file can be seen, but can't be read. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jul 31 4:41:10 2001 Delivered-To: freebsd-audit@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id 0ADEA37B403; Tue, 31 Jul 2001 04:40:51 -0700 (PDT) (envelope-from dima@unixfreak.org) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id B730E3E31; Tue, 31 Jul 2001 04:40:50 -0700 (PDT) Received: from bazooka.unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id A96D63C12C; Tue, 31 Jul 2001 04:40:50 -0700 (PDT) To: audit@freebsd.org Cc: dwmalone@freebsd.org Subject: Peer credentials on a Unix domain socket Date: Tue, 31 Jul 2001 04:40:45 -0700 From: Dima Dorfman Message-Id: <20010731114050.B730E3E31@bazooka.unixfreak.org> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG As discussed on -arch... Attached are two things: one is a patch that implements the socket option and documents it in unix(4). The second is a sharball of the getpeereid() implementation and man page. Here's an excerpt from unix(4) that pretty much sums up what's there: The effective credentials (i.e., the user ID and group list) the of a peer on a SOCK_STREAM socket may be obtained using the LOCAL_PEERCRED socket option. This may be used by a server to obtain and verify the credentials of its client, and vice versa by the client to verify the credentials of the server. These will arrive in the form of a filled in struct xucred (defined in sys/ucred.h). The credentials presented to the server (the listen(2) caller) are those of the client when it called connect(2); the credentials presented to the client (the connect(2) caller) are those of the server when it called listen(2). This mechanism is reliable; there is no way for either party to influence the creden- tials presented to its peer except by calling the appropriate system call (e.g., connect(2) or listen(2)) under different effective credentials. The above, with s/LOCAL_PEERCRED/SO_PEERCRED/ also describes that Linux does. They obviously don't use struct xucred, but the idea is the same. I.e., they also record the credentials at connect(2) and listen(2) time. Please review. Thanks in advance. Index: sys/sys/un.h =================================================================== RCS file: /stl/src/FreeBSD/src/sys/sys/un.h,v retrieving revision 1.17 diff -u -r1.17 un.h --- sys/sys/un.h 1999/12/29 04:24:49 1.17 +++ sys/sys/un.h 2001/07/15 11:21:14 @@ -46,12 +46,16 @@ char sun_path[104]; /* path name (gag) */ }; +/* Socket options. */ +#define LOCAL_PEERCRED 0x001 /* retrieve peer credentials */ + #ifdef _KERNEL struct mbuf; struct socket; int uipc_usrreq __P((struct socket *so, int req, struct mbuf *m, struct mbuf *nam, struct mbuf *control)); +int uipc_ctloutput __P((struct socket *so, struct sockopt *sopt)); int unp_connect2 __P((struct socket *so, struct socket *so2)); void unp_dispose __P((struct mbuf *m)); int unp_externalize __P((struct mbuf *rights)); Index: sys/sys/unpcb.h =================================================================== RCS file: /stl/src/FreeBSD/src/sys/sys/unpcb.h,v retrieving revision 1.11 diff -u -r1.11 unpcb.h --- sys/sys/unpcb.h 2000/05/26 02:06:59 1.11 +++ sys/sys/unpcb.h 2001/07/15 11:21:14 @@ -38,6 +38,7 @@ #define _SYS_UNPCB_H_ #include +#include /* * Protocol control block for an active @@ -80,7 +81,25 @@ int unp_cc; /* copy of rcv.sb_cc */ int unp_mbcnt; /* copy of rcv.sb_mbcnt */ unp_gen_t unp_gencnt; /* generation count of this instance */ + int unp_flags; /* flags */ + struct xucred unp_peercred; /* peer credentials, if applicable */ }; + +/* + * Flags in unp_flags. + * + * UNP_HAVEPC - indicates that the unp_peercred member is filled in + * and is really the credentials of the connected peer. This is used + * to determine whether the contents should be sent to the user or + * not. + * + * UNP_HAVEPCCACHED - indicates that the unp_peercred member is filled + * in, but does *not* contain the credentials of the connected peer + * (there may not even be a peer). This is set in unp_listen() when + * it fills in unp_peercred for later consumption by unp_connect(). + */ +#define UNP_HAVEPC 0x001 +#define UNP_HAVEPCCACHED 0x002 #define sotounpcb(so) ((struct unpcb *)((so)->so_pcb)) Index: sys/kern/uipc_proto.c =================================================================== RCS file: /stl/src/FreeBSD/src/sys/kern/uipc_proto.c,v retrieving revision 1.21 diff -u -r1.21 uipc_proto.c --- sys/kern/uipc_proto.c 1999/10/11 15:19:11 1.21 +++ sys/kern/uipc_proto.c 2001/07/15 11:21:14 @@ -51,7 +51,7 @@ static struct protosw localsw[] = { { SOCK_STREAM, &localdomain, 0, PR_CONNREQUIRED|PR_WANTRCVD|PR_RIGHTS, - 0, 0, 0, 0, + 0, 0, 0, &uipc_ctloutput, 0, 0, 0, 0, 0, &uipc_usrreqs Index: sys/kern/uipc_usrreq.c =================================================================== RCS file: /stl/src/FreeBSD/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.66 diff -u -r1.66 uipc_usrreq.c --- sys/kern/uipc_usrreq.c 2001/05/25 16:59:07 1.66 +++ sys/kern/uipc_usrreq.c 2001/07/15 11:21:14 @@ -91,6 +91,7 @@ static void unp_mark __P((struct file *)); static void unp_discard __P((struct file *)); static int unp_internalize __P((struct mbuf *, struct proc *)); +static int unp_listen __P((struct unpcb *, struct proc *)); static int uipc_abort(struct socket *so) @@ -199,7 +200,7 @@ if (unp == 0 || unp->unp_vnode == 0) return EINVAL; - return 0; + return unp_listen(unp, p); } static int @@ -434,6 +435,41 @@ uipc_send, uipc_sense, uipc_shutdown, uipc_sockaddr, sosend, soreceive, sopoll }; + +int +uipc_ctloutput(so, sopt) + struct socket *so; + struct sockopt *sopt; +{ + struct unpcb *unp = sotounpcb(so); + int error; + + switch (sopt->sopt_dir) { + case SOPT_GET: + switch (sopt->sopt_name) { + case LOCAL_PEERCRED: + if (unp->unp_flags & UNP_HAVEPC) + error = sooptcopyout(sopt, &unp->unp_peercred, + sizeof(unp->unp_peercred)); + else { + if (so->so_type == SOCK_STREAM) + error = ENOTCONN; + else + error = EINVAL; + } + break; + default: + error = EOPNOTSUPP; + break; + } + break; + case SOPT_SET: + default: + error = EOPNOTSUPP; + break; + } + return (error); +} /* * Both send and receive buffers are allocated PIPSIZ bytes of buffering @@ -609,7 +645,7 @@ register struct sockaddr_un *soun = (struct sockaddr_un *)nam; register struct vnode *vp; register struct socket *so2, *so3; - struct unpcb *unp2, *unp3; + struct unpcb *unp, *unp2, *unp3; int error, len; struct nameidata nd; char buf[SOCK_MAXADDRLEN]; @@ -648,12 +684,40 @@ error = ECONNREFUSED; goto bad; } + unp = sotounpcb(so); unp2 = sotounpcb(so2); unp3 = sotounpcb(so3); if (unp2->unp_addr) unp3->unp_addr = (struct sockaddr_un *) dup_sockaddr((struct sockaddr *) unp2->unp_addr, 1); + + /* + * unp_peercred management: + * + * The connecter's (client's) credentials are copied + * from its process structure at the time of connect() + * (which is now). + */ + memset(&unp3->unp_peercred, '\0', sizeof(unp3->unp_peercred)); + unp3->unp_peercred.cr_uid = p->p_ucred->cr_uid; + unp3->unp_peercred.cr_ngroups = p->p_ucred->cr_ngroups; + memcpy(unp3->unp_peercred.cr_groups, p->p_ucred->cr_groups, + sizeof(unp3->unp_peercred.cr_groups)); + unp3->unp_flags |= UNP_HAVEPC; + /* + * The receiver's (server's) credentials are copied + * from the unp_peercred member of socket on which the + * former called listen(); unp_listen() cached that + * process's credentials at that time so we can use + * them now. + */ + KASSERT(unp2->unp_flags & UNP_HAVEPCCACHED, + ("unp_connect: listener without cached peercred")); + memcpy(&unp->unp_peercred, &unp2->unp_peercred, + sizeof(unp->unp_peercred)); + unp->unp_flags |= UNP_HAVEPC; + so2 = so3; } error = unp_connect2(so, so2); @@ -1242,6 +1306,21 @@ if (m) unp_scan(m, unp_discard); +} + +static int +unp_listen(unp, p) + struct unpcb *unp; + struct proc *p; +{ + + bzero(&unp->unp_peercred, sizeof(unp->unp_peercred)); + unp->unp_peercred.cr_uid = p->p_ucred->cr_uid; + unp->unp_peercred.cr_ngroups = p->p_ucred->cr_ngroups; + bcopy(p->p_ucred->cr_groups, unp->unp_peercred.cr_groups, + sizeof(unp->unp_peercred.cr_groups)); + unp->unp_flags |= UNP_HAVEPCCACHED; + return (0); } static void Index: share/man/man4/unix.4 =================================================================== RCS file: /stl/src/FreeBSD/src/share/man/man4/unix.4,v retrieving revision 1.4 diff -u -r1.4 unix.4 --- share/man/man4/unix.4 2001/07/14 19:40:48 1.4 +++ share/man/man4/unix.4 2001/07/15 11:21:14 @@ -32,7 +32,7 @@ .\" @(#)unix.4 8.1 (Berkeley) 6/9/93 .\" $FreeBSD: src/share/man/man4/unix.4,v 1.4 2001/07/14 19:40:48 schweikh Exp $ .\" -.Dd June 9, 1993 +.Dd July 15, 2001 .Dt UNIX 4 .Os .Sh NAME @@ -147,6 +147,35 @@ Descriptors that are awaiting delivery, or that are purposely not received, are automatically closed by the system when the destination socket is closed. +.Pp +The effective credentials (i.e., the user ID and group list) the of a +peer on a +.Dv SOCK_STREAM +socket may be obtained using the +.Dv LOCAL_PEERCRED +socket option. +This may be used by a server to obtain and verify the credentials of +its client, and vice versa by the client to verify the credentials +of the server. +These will arrive in the form of a filled in +.Ar struct xucred +(defined in +.Pa sys/ucred.h ) . +The credentials presented to the server (the +.Xr listen 2 +caller) are those of the client when it called +.Xr connect 2 ; +the credentials presented to the client (the +.Xr connect 2 +caller) are those of the server when it called +.Xr listen 2 . +This mechanism is reliable; there is no way for either party to influence +the credentials presented to its peer except by calling the appropriate +system call (e.g., +.Xr connect 2 +or +.Xr listen 2 ) +under different effective credentials. .Sh SEE ALSO .Xr socket 2 , .Xr intro 4 # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # getpeereid.3 # getpeereid.c # echo x - getpeereid.3 sed 's/^X//' >getpeereid.3 << 'END-of-getpeereid.3' X.\" X.\" Copyright (c) 2001 Dima Dorfman. X.\" All rights reserved. X.\" X.\" Redistribution and use in source and binary forms, with or without X.\" modification, are permitted provided that the following conditions X.\" are met: X.\" 1. Redistributions of source code must retain the above copyright X.\" notice, this list of conditions and the following disclaimer. X.\" 2. Redistributions in binary form must reproduce the above copyright X.\" notice, this list of conditions and the following disclaimer in the X.\" documentation and/or other materials provided with the distribution. X.\" X.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X.\" SUCH DAMAGE. X.\" X.\" $FreeBSD$ X.\" X.Dd July 15, 2001 X.Dt GETPEEREID 3 X.Os X.Sh NAME X.Nm getpeereid , X.Nd get the effective credentials of a UNIX-domain peer X.Sh LIBRARY X.Lb libc X.Sh SYNOPSIS X.Fd #include X.Fd #include X.Ft int X.Fn getpeereid "int s" "uid_t *euid" "gid_t *egid" X.Sh DESCRIPTION XThe X.Fn getpeereid Xroutine returns the effective user and group IDs of the Xpeer connected to a UNIX-domain socket. XThe argument X.Fa s Xmust be a UNIX-domain socket X.Pq Xr unix 4 Xof type X.Dv SOCK_STREAM Xon which either X.Xr connect 2 Xor X.Xr listen 2 Xhave been called. XThe effective used ID is placed in X.Fa euid , Xand the effective group ID in X.Fa egid . X.Pp XThe credentials returned to the X.Xr listen 2 Xcaller are those of its peer at the time it called X.Xr connect 2 ; Xthe credentials returned to the X.Xr connect 2 Xcaller are those of its peer at the time it called X.Xr listen 2 . XThis mechanism is reliable; there is no way for either side to influence Xthe credentials returned to its peer except by calling the appropriate Xsystem call (i.e., either X.Xr connect 2 Xor X.Xr listen 2 ) Xunder different effective credentials. X.Pp XOne common use of this routine is for a UNIX-domain server Xto verify the credentials of its client. XLikewise, the client can verify the credentials of the server. X.Sh IMPLEMENTATION NOTES XOn X.Fx , X.Fn getpeereid Xis implemented in terms of the X.Dv LOCAL_PEERCRED X.Xr unix 4 Xsocket option. X.Sh RETURN VALUES XIf the call succeeds, a value of 0 is returned and X.Fa euid Xand X.Fa egid Xcontain the effective user and group IDs of the peer on X.Fa s , Xrespectively. XIf the call fails, a value of \-1 is returned and X.Va errno Xis set to indicate the error. X.Sh ERRORS XThe call succeeds unless: X.Bl -tag -width Er X.It Bq Er EBADF XThe argument X.Fa s Xis not a valid descriptor. X.It Bq Er ENOTSOCK XThe argument X.Fa s Xis a file, not a socket. X.It Bq Er ENOTCONN XThe argument X.Fa s Xdoes not refer to a socket on which X.Xr connect 2 Xor X.Xr listen 2 Xhave been called. X.It Bq Er EINVAL XThe argument X.Fa s Xdoes not refer to a socket of type X.Dv SOCK_STREAM . X.El X.Sh SEE ALSO X.Xr connect 2 , X.Xr getpeername 2 , X.Xr getsockname 2 , X.Xr getsockopt 2 , X.Xr listen 2 , X.Xr unix 4 X.Sh HISTORY XThe X.Fn getpeereid Xroutine appeared in X.Fx 5.0 . END-of-getpeereid.3 echo x - getpeereid.c sed 's/^X//' >getpeereid.c << 'END-of-getpeereid.c' X/* X * Copyright (c) 2001 Dima Dorfman. X * All rights reserved. X * X * Redistribution and use in source and binary forms, with or without X * modification, are permitted provided that the following conditions X * are met: X * 1. Redistributions of source code must retain the above copyright X * notice, this list of conditions and the following disclaimer. X * 2. Redistributions in binary form must reproduce the above copyright X * notice, this list of conditions and the following disclaimer in the X * documentation and/or other materials provided with the distribution. X * X * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X * SUCH DAMAGE. X */ X X#if defined(LIBC_RCS) && !defined(lint) Xstatic const char rcsid[] = X "$FreeBSD$"; X#endif /* LIBC_RCS and not lint */ X X#include X#include X#include X#include X X#include X Xint Xgetpeereid(int s, uid_t *euid, gid_t *egid) X{ X struct xucred xuc; X socklen_t xuclen; X int error; X X xuclen = sizeof(xuc); X error = getsockopt(s, LOCAL_PEERCRED, 1, &xuc, &xuclen); X if (error != 0) X return (error); X *euid = xuc.cr_uid; X *egid = xuc.cr_gid; X return (0); X} END-of-getpeereid.c exit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Jul 31 9: 6:59 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 447B137B405; Tue, 31 Jul 2001 09:06:52 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f6VGPdE94726; Tue, 31 Jul 2001 12:25:39 -0400 (EDT) (envelope-from mike) Date: Tue, 31 Jul 2001 12:25:39 -0400 From: Mike Barcroft To: Yar Tikhiy Cc: audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010731122539.A93248@coffee.q9media.com> References: <20010728155159.A35483@snark.rinet.ru> <20010728144554.C86837@coffee.q9media.com> <20010730212257.C26476@comp.chem.msu.su> <20010730144542.A92125@coffee.q9media.com> <20010731144344.B30628@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010731144344.B30628@comp.chem.msu.su>; from yar@FreeBSD.ORG on Tue, Jul 31, 2001 at 02:43:45PM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 31, 2001 at 02:43:45PM +0400, Yar Tikhiy wrote: > On Mon, Jul 30, 2001 at 02:45:42PM -0400, Mike Barcroft wrote: > > CAVEAT > > Access() is a potential security hole and should never be used. > > IMHO this caveat is akin to a memorable quote from an article on > the Daemon News: "One of the differences between FreeBSD and NetBSD > is that the former needs quoting parameter values in rc.conf, and > the latter need not". I mean they both push people along the easiest, > but thoughtless route. > > The actual problem about access(2) is not in programmer's unawareness > of races, but in the syscall's design itself. It was intended to > be a way to check a file against real user credentials instead of > effective ones. And it turned out a Really Bad Way of doing that. > > Ugh, what I did was convinced myself that access(2) shouldn't be > used, but the argument was not security, but the risk of getting > access(2) obsolete one day, as it already happened to creat(2) :-) If a programmer uses access(2) without full knowledge of how it works, the fact that it uses the real user ID instead of the effective user ID can also be a big problem. But this reflects a more general concern with secure programming and isn't specific to this API. > > > Second, open(2) can't be used as a drop-in replacement for access(.., > > > F_OK) here because it can't tell permission errors on a directory from > > > those on a file itself. IMHO stat(2) should be used here if the > > > historical behaviour of finger(1) is to be preserved. > > > > I'm afraid I don't understand what you mean. How does > > access(buf, F_OK) differ from open(buf, O_RDONLY) in terms of > > permissions in this case? From the access(2) man page: > > > > All components of the pathname path are checked for access > > permissions (including F_OK). > > Don't believe newspapers and manpages blindly ;-) Access(..., F_OK) > returns 0 if a file can be seen, but can't be read. One should be able to trust man pages. If the manual isn't factually correct, that's a bug. In this case the manual is incorrect. I now agree that stat(2) is the correct replacement interface. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 3 18:18:23 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 8A71A37B407 for ; Fri, 3 Aug 2001 18:18:17 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f741bj104402; Fri, 3 Aug 2001 21:37:45 -0400 (EDT) (envelope-from mike) Date: Fri, 3 Aug 2001 21:37:45 -0400 From: Mike Barcroft To: audit@FreeBSD.org Cc: Bruce Evans Subject: cmp(1) warns patch Message-ID: <20010803213745.A4390@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'd appreciate comments on the following patch. If there are no objections, I'd like to commit this shortly. Best regards, Mike Barcroft ---------------------------------------------------------------------- cmp.20010803.patch o Constify o Fix some compile-time warnings. o Set WARNS?=2 Index: cmp/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/cmp/Makefile,v retrieving revision 1.2 diff -u -r1.2 Makefile --- cmp/Makefile 1998/12/06 22:58:15 1.2 +++ cmp/Makefile 2001/08/04 01:02:33 @@ -1,7 +1,7 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 PROG= cmp -CFLAGS+=-Wall SRCS= cmp.c misc.c regular.c special.c +WARNS?= 2 .include Index: cmp/cmp.c =================================================================== RCS file: /home/ncvs/src/usr.bin/cmp/cmp.c,v retrieving revision 1.9 diff -u -r1.9 cmp.c --- cmp/cmp.c 2000/07/25 13:01:34 1.9 +++ cmp/cmp.c 2001/08/04 01:02:33 @@ -68,7 +68,7 @@ struct stat sb1, sb2; off_t skip1, skip2; int ch, fd1, fd2, special; - char *file1, *file2; + const char *file1, *file2; while ((ch = getopt(argc, argv, "-lsxz")) != -1) switch (ch) { Index: cmp/extern.h =================================================================== RCS file: /home/ncvs/src/usr.bin/cmp/extern.h,v retrieving revision 1.2 diff -u -r1.2 extern.h --- cmp/extern.h 2000/05/15 08:30:43 1.2 +++ cmp/extern.h 2001/08/04 01:02:33 @@ -40,9 +40,10 @@ #define DIFF_EXIT 1 #define ERR_EXIT 2 /* error exit code */ -void c_regular __P((int, char *, off_t, off_t, int, char *, off_t, off_t)); -void c_special __P((int, char *, off_t, int, char *, off_t)); -void diffmsg __P((char *, char *, off_t, off_t)); -void eofmsg __P((char *)); +void c_regular __P((int, const char *, off_t, off_t, int, const char *, + off_t, off_t)); +void c_special __P((int, const char *, off_t, int, const char *, off_t)); +void diffmsg __P((const char *, const char *, off_t, off_t)); +void eofmsg __P((const char *)); extern int lflag, sflag, xflag; Index: cmp/misc.c =================================================================== RCS file: /home/ncvs/src/usr.bin/cmp/misc.c,v retrieving revision 1.2 diff -u -r1.2 misc.c --- cmp/misc.c 1998/12/06 22:58:15 1.2 +++ cmp/misc.c 2001/08/04 01:02:33 @@ -45,7 +45,7 @@ void eofmsg(file) - char *file; + const char *file; { if (!sflag) warnx("EOF on %s", file); @@ -54,11 +54,11 @@ void diffmsg(file1, file2, byte, line) - char *file1, *file2; + const char *file1, *file2; off_t byte, line; { if (!sflag) - (void)printf("%s %s differ: char %qd, line %qd\n", - file1, file2, byte, line); + (void)printf("%s %s differ: char %lld, line %lld\n", + file1, file2, (long long)byte, (long long)line); exit(DIFF_EXIT); } Index: cmp/regular.c =================================================================== RCS file: /home/ncvs/src/usr.bin/cmp/regular.c,v retrieving revision 1.10 diff -u -r1.10 regular.c --- cmp/regular.c 2000/06/20 20:28:40 1.10 +++ cmp/regular.c 2001/08/04 01:02:33 @@ -56,7 +56,7 @@ void c_regular(fd1, file1, skip1, len1, fd2, file2, skip2, len2) int fd1, fd2; - char *file1, *file2; + const char *file1, *file2; off_t skip1, len1, skip2, len2; { u_char ch, *p1, *p2; @@ -81,7 +81,7 @@ off2 = ROUNDPAGE(skip2); length = MIN(len1, len2); - if (length > SIZE_T_MAX) + if (length > (off_t)SIZE_T_MAX) return (c_special(fd1, file1, skip1, fd2, file2, skip2)); if ((p1 = (u_char *)mmap(NULL, (size_t)len1 + skip1 % pagesize, @@ -101,10 +101,12 @@ if ((ch = *p1) != *p2) { if (xflag) { dfound = 1; - (void)printf("%08qx %02x %02x\n", byte - 1, ch, *p2); + (void)printf("%08llx %02x %02x\n", + (long long)(byte - 1), ch, *p2); } else if (lflag) { dfound = 1; - (void)printf("%6qd %3o %3o\n", byte, ch, *p2); + (void)printf("%6lld %3o %3o\n", (long long)byte, + ch, *p2); } else diffmsg(file1, file2, byte, line); /* NOTREACHED */ Index: cmp/special.c =================================================================== RCS file: /home/ncvs/src/usr.bin/cmp/special.c,v retrieving revision 1.4 diff -u -r1.4 special.c --- cmp/special.c 1999/04/25 22:37:57 1.4 +++ cmp/special.c 2001/08/04 01:02:33 @@ -47,7 +47,7 @@ void c_special(fd1, file1, skip1, fd2, file2, skip2) int fd1, fd2; - char *file1, *file2; + const char *file1, *file2; off_t skip1, skip2; { int ch1, ch2; @@ -76,7 +76,8 @@ if (ch1 != ch2) { if (lflag) { dfound = 1; - (void)printf("%6qd %3o %3o\n", byte, ch1, ch2); + (void)printf("%6lld %3o %3o\n", + (long long)byte, ch1, ch2); } else { diffmsg(file1, file2, byte, line); /* NOTREACHED */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 3 18:42:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from iatl0x01.coxmail.com (iatl0x02.coxmail.com [206.157.225.11]) by hub.freebsd.org (Postfix) with ESMTP id 8FAAC37B407; Fri, 3 Aug 2001 18:42:12 -0700 (PDT) (envelope-from mheffner@novacoxmail.com) Received: from enterprise.muriel.penguinpowered.com ([209.249.161.66]) by iatl0x01.coxmail.com (InterMail vK.4.03.02.00 201-232-124 license eaa2928f5bcba31507d4d280f1027278) with ESMTP id <20010804014211.TXMK28640.iatl0x01@enterprise.muriel.penguinpowered.com>; Fri, 3 Aug 2001 21:42:11 -0400 Message-ID: X-Mailer: XFMail 1.5.0 on FreeBSD X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="_=XFMail.1.5.0.FreeBSD:20010803213959:283=_"; micalg=pgp-md5; protocol="application/pgp-signature" In-Reply-To: <20010803213745.A4390@coffee.q9media.com> Date: Fri, 03 Aug 2001 21:39:59 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: Mike Barcroft Subject: RE: cmp(1) warns patch Cc: Bruce Evans , audit@FreeBSD.org Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format --_=XFMail.1.5.0.FreeBSD:20010803213959:283=_ Content-Type: text/plain; charset=us-ascii On 04-Aug-2001 Mike Barcroft wrote: | | I'd appreciate comments on the following patch. If there are no | objections, I'd like to commit this shortly. Please see the thread: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=2654+0+archive/2001/freebsd-audit/2 0010603.freebsd-audit I'm still sorta waiting to here back from Bruce, but I also haven't gotten around to looking at it again either. Mike -- Mike Heffner Fredericksburg, VA --_=XFMail.1.5.0.FreeBSD:20010803213959:283=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7a1JuFokZQs3sv5kRAoQlAJ4w5hvWTyhDAQOOsJg6mhotB4lF5QCfaCjF ePcvjYPSnho6PzrJSwY4qD0= =9xpX -----END PGP SIGNATURE----- --_=XFMail.1.5.0.FreeBSD:20010803213959:283=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 3 19:35: 0 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 44DFC37B405 for ; Fri, 3 Aug 2001 19:34:57 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f742sNx04534; Fri, 3 Aug 2001 22:54:23 -0400 (EDT) (envelope-from mike) Date: Fri, 3 Aug 2001 22:54:23 -0400 From: Mike Barcroft To: Mike Heffner Cc: Bruce Evans , audit@FreeBSD.org Subject: Re: cmp(1) warns patch Message-ID: <20010803225423.A4519@coffee.q9media.com> References: <20010803213745.A4390@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mheffner@novacoxmail.com on Fri, Aug 03, 2001 at 09:39:59PM -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Aug 03, 2001 at 09:39:59PM -0400, Mike Heffner wrote: > I'm still sorta waiting to here back from Bruce, but I also haven't gotten > around to looking at it again either. Oops, I assumed that was already committed. Let me know when you've committed your change and I'll re-do my patch. Sorry about that. Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 3 19:45:21 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 3DF3A37B403 for ; Fri, 3 Aug 2001 19:45:17 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f7434ll04571 for audit@FreeBSD.org; Fri, 3 Aug 2001 23:04:47 -0400 (EDT) (envelope-from mike) Date: Fri, 3 Aug 2001 23:04:47 -0400 From: Mike Barcroft To: audit@FreeBSD.org Subject: lam(1) warns patch Message-ID: <20010803230447.A4563@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'd appreciate comments on the following patch. If there are no objections, I'd like to commit this shortly. Best regards, Mike Barcroft ---------------------------------------------------------------------- lam.20010803.patch o Constify, staticize, set WARNS?=2. Index: lam/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/lam/Makefile,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 Makefile --- lam/Makefile 1994/05/27 12:31:55 1.1.1.1 +++ lam/Makefile 2001/08/04 02:14:26 @@ -1,5 +1,7 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 +# $FreeBSD$ PROG= lam +WARNS?= 2 .include Index: lam/lam.c =================================================================== RCS file: /home/ncvs/src/usr.bin/lam/lam.c,v retrieving revision 1.7 diff -u -r1.7 lam.c --- lam/lam.c 2001/02/08 20:15:59 1.7 +++ lam/lam.c 2001/08/04 02:14:26 @@ -64,8 +64,8 @@ short eof; /* eof flag */ short pad; /* pad flag for missing columns */ char eol; /* end of line character */ - char *sepstring; /* string to print before each line */ - char *format; /* printf(3) style string spec. */ + const char *sepstring; /* string to print before each line */ + const char *format; /* printf(3) style string spec. */ } input[MAXOFILES]; int morefiles; /* set by getargs(), changed by gatherline() */ @@ -73,13 +73,13 @@ char line[BIGBUFSIZ]; char *linep; -char *gatherline(struct openfile *); -void getargs(char *[]); -char *pad(struct openfile *); +static char *gatherline(struct openfile *); +static void getargs(char *[]); +static char *pad(struct openfile *); static void usage(void); int -main(int argc, char *argv[]) +main(int argc __unused, char *argv[]) { struct openfile *ip; @@ -99,7 +99,7 @@ } } -void +static void getargs(char *av[]) { struct openfile *ip = input; @@ -176,7 +176,7 @@ ip->sepstring = ""; } -char * +static char * pad(struct openfile *ip) { char *lp = linep; @@ -190,7 +190,7 @@ return (lp); } -char * +static char * gatherline(struct openfile *ip) { char s[BUFSIZ]; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Aug 3 20: 2:28 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 54DC537B401; Fri, 3 Aug 2001 20:02:25 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id NAA20490; Sat, 4 Aug 2001 13:02:23 +1000 Date: Sat, 4 Aug 2001 12:59:56 +1000 (EST) From: Bruce Evans X-X-Sender: To: Mike Barcroft Cc: Subject: Re: cmp(1) warns patch In-Reply-To: <20010803213745.A4390@coffee.q9media.com> Message-ID: <20010804124551.S16377-100000@besplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 3 Aug 2001, Mike Barcroft wrote: > I'd appreciate comments on the following patch. If there are no > objections, I'd like to commit this shortly. > ... > Index: cmp/regular.c > =================================================================== > RCS file: /home/ncvs/src/usr.bin/cmp/regular.c,v > retrieving revision 1.10 > diff -u -r1.10 regular.c > --- cmp/regular.c 2000/06/20 20:28:40 1.10 > +++ cmp/regular.c 2001/08/04 01:02:33 > ... > @@ -81,7 +81,7 @@ > off2 = ROUNDPAGE(skip2); > > length = MIN(len1, len2); > - if (length > SIZE_T_MAX) > + if (length > (off_t)SIZE_T_MAX) This is broken on many machines, including alphas. On alphas, (off_t)SIZE_MAX overflows to -1, so `length' is always larger and the pessimized cspecial() method is always used. Casting the left hand size to the type of the right hand side would be even more broken. Without any casts, `length' and SIZE_T_MAX were promoted to a common type and there was no problem unless length < 0 (which can't happen). > return (c_special(fd1, file1, skip1, fd2, file2, skip2)); > > if ((p1 = (u_char *)mmap(NULL, (size_t)len1 + skip1 % pagesize, Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 4 11:25:12 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 737FD37B401 for ; Sat, 4 Aug 2001 11:25:07 -0700 (PDT) (envelope-from mike@coffee.q9media.com) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.2) id f74IidR08172; Sat, 4 Aug 2001 14:44:39 -0400 (EDT) (envelope-from mike) Date: Sat, 4 Aug 2001 14:44:39 -0400 From: Mike Barcroft To: Bruce Evans Cc: audit@FreeBSD.org Subject: Re: cmp(1) warns patch Message-ID: <20010804144439.A8069@coffee.q9media.com> References: <20010803213745.A4390@coffee.q9media.com> <20010804124551.S16377-100000@besplex.bde.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010804124551.S16377-100000@besplex.bde.org>; from bde@zeta.org.au on Sat, Aug 04, 2001 at 12:59:56PM +1000 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Aug 04, 2001 at 12:59:56PM +1000, Bruce Evans wrote: > On Fri, 3 Aug 2001, Mike Barcroft wrote: > > ... > > Index: cmp/regular.c > > =================================================================== > > RCS file: /home/ncvs/src/usr.bin/cmp/regular.c,v > > retrieving revision 1.10 > > diff -u -r1.10 regular.c > > --- cmp/regular.c 2000/06/20 20:28:40 1.10 > > +++ cmp/regular.c 2001/08/04 01:02:33 > > ... > > @@ -81,7 +81,7 @@ > > off2 = ROUNDPAGE(skip2); > > > > length = MIN(len1, len2); > > - if (length > SIZE_T_MAX) > > + if (length > (off_t)SIZE_T_MAX) > > This is broken on many machines, including alphas. On alphas, > (off_t)SIZE_MAX overflows to -1, so `length' is always larger and the > pessimized cspecial() method is always used. > > Casting the left hand size to the type of the right hand side would be > even more broken. > > Without any casts, `length' and SIZE_T_MAX were promoted to a common > type and there was no problem unless length < 0 (which can't happen). I guess I should have looked at the types a little more closely. Do you have any suggestions for overcoming the comparison between signed and unsigned warning on alpha? Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Aug 4 14:29:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id CB0CE37B427 for ; Sat, 4 Aug 2001 14:29:07 -0700 (PDT) (envelope-from mark@grondar.za) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f74LT6V42981 for audit@freebsd.org; Sat, 4 Aug 2001 23:29:06 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (mark@localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.4/8.11.4) with ESMTP id f74LFEr17192 for ; Sat, 4 Aug 2001 22:15:14 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200108042115.f74LFEr17192@grimreaper.grondar.za> To: audit@freebsd.org Subject: [Patch] Telnet cleanup Date: Sat, 04 Aug 2001 22:15:13 +0100 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all I have gone through our telnets (we have 2 distinct source code sets), and I have attempted to reconcile the relevant differences between the two. "Base" telnet is (or rather, should be) derived by using unifdef(1) to remove the crypto bits from the telnet sources in src/crypto/telnet/. Over time, the two have diverged. "Base" telnet has received the most attention. The telnet in src/crypto/telnet is a later version of the telnet sources, and I have reintegrated some of its (later) features into the "base" telnet. I have tried to reduce as many differences as possible (obviously the #ifdef'ed crypto stuff needs to stay). I'd like to get it such that the base telnet is only ever updated by a script that builds it by unifdef(1)ing the crypto version. That way we can avoid the current divergent sources problem. It will also provide a single place to commit telnet updates instead of having to remember to duplicate effort. There are two diffs for your review; diff.cvs.gz is the commit- candidate diff, relative to CURRENT, and diff.2_vers.gz is the resultant diff between the 2 telnets. Both diffs can be found in http://people.freebsd.org/~markm/patches/. This does not fully achieve the unifdef(1) ideal, but I believe it is in the right direction for further work. Comments please? :-) M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message