From owner-freebsd-arch Fri Sep 13 5:37:25 2002 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 752AC37B400; Fri, 13 Sep 2002 05:37:21 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4941743E65; Fri, 13 Sep 2002 05:37:19 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g8DCavOo098929; Fri, 13 Sep 2002 08:36:57 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 13 Sep 2002 08:36:56 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Nate Lawson Cc: Garrett Wollman , arch@freebsd.org, imp@freebsd.org, peter@freebsd.org Subject: Re: PATCH: vnode->v_tag to const char * In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 13 Sep 2002, Nate Lawson wrote: > Ok, now that works for NFS (VFCF_NETWORK). But the procfs check is > horrible. > > For those just tuning in, if a set[ug]id program has /proc/mumble open > on fds 0-2, it's possible it could inadvertently write to them, causing > a crash. The check is_unsafe() in kern_descrip.c handles this case. > > I changed it to use VFCF_SYNTHETIC instead but that is not right -- > fdescfs and devfs (think: /dev/fd/*, /dev/tty) are also synthetic. And > what about portal ... ? > > What is the 'right' way to keep sugid programs from crashing the system > with open 0-2 fds? The risk isn't just that the system might crash, it's that I might be able to gain privilege by setting up a scenario of this sort. The ability to write to a procfs vnode (such as mem) can come and go as the privilege of the subject and target processes change, yet a file descriptor reference to the procfs vnode may remain valid throughout. Through careful timing, it may be possible to arrange for one setuid application to write to the memory space of another setuid application in a controlled form, which could be used to increase the level of privilege of the attacker by causing the target process to misbehave in a predictable way. Through careful racing, for example, you could arrange for the output of your arbitrary friendly setuid program (passwd, su, lpr, ...) to end up overwriting the buffer memory used by another command (passwd, su) to change its behavior to your benefit (as an attacker). Interestingly, procfs vnodes are one of the few cases where this can happen, since it's one of the few file systems we have with this sort of semantic. With MAC and securelevels/file flags, there are some other cases where the privilege to write to an object comes and goes, but you might still have a file descriptor. Arguably, this is a weakness to the UNIX model, and it's not yet clear to me what the right fix is. Certainly disallowing stdio from pointing to procfs nodes is a good start and prevents known problems. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message