From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 11:07:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4A191065674 for ; Mon, 1 Oct 2012 11:07:40 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id A4FCA8FC1C for ; Mon, 1 Oct 2012 11:07:40 +0000 (UTC) Received: from Xins-MacBook-Pro.local (c-67-188-85-47.hsd1.ca.comcast.net [67.188.85.47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 0A66020540; Mon, 1 Oct 2012 04:07:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1349089654; bh=wa4UcpTPMYWJJT5uolUce/N1hyPPtYUncw8hCr+2KJ8=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=I6cq9IBeWWLfC+qhDQaB/SQs0LtoJH0N3QpUM24Ga4PVO4qHJj2THlAAt+HMIJlc5 0TxBiRNO3B3IDXg+IgQ617YR3GZSmui7CKp2ZjzZ/uTQD82NwAfO6xogH6sUmBZ0AG mvgA6liYp4UzfB1u9Nd2zl7r94jfr/FiKjqRHUDo= Message-ID: <50697975.4070609@delphij.net> Date: Mon, 01 Oct 2012 04:07:33 -0700 From: Xin Li Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: Erik Cederstrand References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> In-Reply-To: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 11:07:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/1/12 3:31 AM, Erik Cederstrand wrote: > I'm looking through the clang analyzer reports and found this one: > http://scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/report-R9ZgC6.html#EndPath > > > It's complaining that, if setuid() fails for some reason, the > process will continue with root privileges because the process is > suid root. > > At first glance, it seems unnecessary to check the return value of > "setuid(getuid())" since the user should always be able to drop > privileges to itself. So I filed this bug with LLVM: > http://llvm.org/bugs/show_bug.cgi?id=13979 > > It turns out that setuid() *may* fail if the user hits its process > limit. Apparently FreeBSD doesn't check the limit in the specific > setuid(getuid()) case (I can't find the code anywhere right now) > so this is not an issue, but Linux does. However, if FreeBSD > decides to change the setuid() implementation at some point, the > issue may surface again. I didn't follow the idea -- In Linux's kernel/sys.c: SYSCALL_DEFINE1(setuid, uid_t, uid) { (...) kuid = make_kuid(ns, uid); (...) if (nsown_capable(CAP_SETUID)) { new->suid = new->uid = kuid; if (!uid_eq(kuid, old->uid)) { // <-- 1 retval = set_user(new); // <-- check done here if (retval < 0) goto error; } How can the check be even reached in setuid(getuid()) case? It's also conflict with intuition by the way -- we are not changing ownership of the process, thus the process number should not change... Cheers, -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQEcBAEBCAAGBQJQaXl0AAoJEG80Jeu8UPuz22AIAIBhAdEscXjcsQR06qzFntn4 lVVLzlPH+KdgUezbE5uMWbtNj0Az7ny66QQ2ocgh5KK8bc5i1486T9+32k6X7Cft gxE7tpPGkrb6uT62TV4Z5TkJ3NLfqQ6pABiYFONUS72Zy2zPE9stq5X4XrySXlTh Oft6hpLK5qtxucD7RUKrj8Ofw6kugKm7+KDXqQUU2CuEkCZZUiY1KarJK1fyPHF7 9APaaWyWZt6yMj3qn/2btmR4GZoZMQdfUqe8EIhpxGdKseB81FIdHfDo2bzDGRcx jUUIbrFxLTypjXws2IPneHYaKpLfs5RWT6yKPRkdKIkfQYTeJMb0MjlD6q7acWo= =hknO -----END PGP SIGNATURE-----