Date: Sun, 9 Apr 2000 15:29:32 +0200 (CEST) From: sam@ada.eu.org To: FreeBSD-gnats-submit@freebsd.org Subject: kern/17878: Jail user can change priority of outside processes Message-ID: <20000409132932.A609E3D9@antinea.enst.fr>
next in thread | raw e-mail | index | archive | help
>Number: 17878
>Category: kern
>Synopsis: Jail user can change priority of outside processes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 9 06:40:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Samuel Tardieu
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
TELECOM Paris
>Environment:
Any jail wil do.
>Description:
A user (such as root) in a jail is able to use setpriority() (e.g.,
through the renice command) to lower the priority level (increase
the nice value) of a process which lives outside.
>How-To-Repeat:
From within the jail, try
# renice 5 PID
where PID is a regular process which lives out of the jail (and thus
cannot be seen using ps from within the jail).
>Fix:
The following patch should correct this. However, I wonder if
functions such as pfind() should not take another argument which
would be the curproc value when applicable. It would require changing
all the pfind() calls in the kernel, but would add an extra
security. Of course, processes iterators would still have to be
modified to honor the jail.
Also, note that real-time priorities may suffer from the same problem.
--- kern_resource.c.orig Sun Apr 9 12:06:38 2000
+++ kern_resource.c Sun Apr 9 12:31:53 2000
@@ -86,7 +86,7 @@
p = curp;
else
p = pfind(uap->who);
- if (p == 0)
+ if (p == 0 || !PRISON_CHECK(curp, p))
break;
low = p->p_nice;
break;
@@ -98,6 +98,8 @@
pg = curp->p_pgrp;
else if ((pg = pgfind(uap->who)) == NULL)
break;
+ if (!PRISON_CHECK(curp, LIST_FIRST(&pg->pg_members)))
+ break;
LIST_FOREACH(p, &pg->pg_members, p_pglist) {
if (p->p_nice < low)
low = p->p_nice;
@@ -110,7 +112,8 @@
uap->who = curp->p_ucred->cr_uid;
LIST_FOREACH(p, &allproc, p_list)
if (p->p_ucred->cr_uid == uap->who &&
- p->p_nice < low)
+ p->p_nice < low &&
+ PRISON_CHECK(curp, p))
low = p->p_nice;
break;
@@ -146,7 +149,7 @@
p = curp;
else
p = pfind(uap->who);
- if (p == 0)
+ if (p == 0 || !PRISON_CHECK(curp, p))
break;
error = donice(curp, p, uap->prio);
found++;
@@ -159,6 +162,8 @@
pg = curp->p_pgrp;
else if ((pg = pgfind(uap->who)) == NULL)
break;
+ if (!PRISON_CHECK(curp, LIST_FIRST(&pg->pg_members)))
+ break;
LIST_FOREACH(p, &pg->pg_members, p_pglist) {
error = donice(curp, p, uap->prio);
found++;
@@ -170,7 +175,8 @@
if (uap->who == 0)
uap->who = curp->p_ucred->cr_uid;
LIST_FOREACH(p, &allproc, p_list)
- if (p->p_ucred->cr_uid == uap->who) {
+ if (p->p_ucred->cr_uid == uap->who &&
+ PRISON_CHECK(curp, p)) {
error = donice(curp, p, uap->prio);
found++;
}
@@ -239,7 +245,7 @@
else
p = pfind(uap->pid);
- if (p == 0)
+ if (p == 0 || !PRISON_CHECK(curp, p))
return (ESRCH);
switch (uap->function) {
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000409132932.A609E3D9>