From owner-freebsd-arch  Fri Sep 13 10:52:17 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DC98637B400
	for <arch@freebsd.org>; Fri, 13 Sep 2002 10:52:14 -0700 (PDT)
Received: from rootlabs.com (root.org [67.118.192.226])
	by mx1.FreeBSD.org (Postfix) with SMTP id 35BA043E65
	for <arch@freebsd.org>; Fri, 13 Sep 2002 10:52:14 -0700 (PDT)
	(envelope-from nate@rootlabs.com)
Received: (qmail 27573 invoked by uid 1000); 13 Sep 2002 17:52:14 -0000
Date: Fri, 13 Sep 2002 10:52:14 -0700 (PDT)
From: Nate Lawson <nate@root.org>
To: Terry Lambert <tlambert2@mindspring.com>
Cc: arch@freebsd.org
Subject: Re: PATCH: vnode->v_tag to const char *
In-Reply-To: <3D81ED04.C016B3B0@mindspring.com>
Message-ID: <Pine.BSF.4.21.0209131042460.27416-100000@root.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Sorry, this isn't helpful.  See the start of this thread where I am
changing vp->v_tag.  Since v_tag is not (and should never have
been) usable as a fs type id, I need something to replace it with to
detect a procfs vnode.  Checking for VFCF_SYNTHETIC lumps devfs and
fdescfs in with procfs and thus programs like su no longer work (because
stdin is /dev/tty which is on devfs which, like procfs, has
VFCF_SYNTHETIC set).

Another possibility I considered was checking for VFCF_SYNTHETIC and vtype
!= VCHR (since procfs uses standard VDIR/VREG files).  This didn't work
either (I was able to hang the system with "su < /proc/curproc/mem").

I need two things:
1. To know all the filesystem types that are unsafe for set[ug]id
programs with open descriptors on 0-2.  Procfs is one, but there are
probably others.  Any fs where the semantics of the fd change across an
exec is suspect.
2. A way to uniquely identify those fs types via a vnode.

This may need to be a new flag somewhere (say, struct vfsconf).  Pseudofs
already uses PFS_PROCDEP but this never gets propagated to a vnode.

-Nate

On Fri, 13 Sep 2002, Terry Lambert wrote:
> Nate Lawson wrote:
> > For those just tuning in, if a set[ug]id program has /proc/mumble open on
> > fds 0-2, it's possible it could inadvertently write to them, causing a
> > crash.  The check is_unsafe() in kern_descrip.c handles this case.
> > 
> > I changed it to use VFCF_SYNTHETIC instead but that is not right --
> > fdescfs and devfs (think: /dev/fd/*, /dev/tty) are also synthetic.  And
> > what about portal ... ?
> > 
> > What is the 'right' way to keep sugid programs from crashing the system
> > with open 0-2 fds?
> 
> Hook 1 and 2, which are output fd's, to /dev/null, if you *must*
> have them open.
> 
> -- Terry
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-arch" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message