Date: Fri, 13 Sep 2002 10:52:14 -0700 (PDT) From: Nate Lawson <nate@root.org> To: Terry Lambert <tlambert2@mindspring.com> Cc: arch@freebsd.org Subject: Re: PATCH: vnode->v_tag to const char * Message-ID: <Pine.BSF.4.21.0209131042460.27416-100000@root.org> In-Reply-To: <3D81ED04.C016B3B0@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, this isn't helpful. See the start of this thread where I am changing vp->v_tag. Since v_tag is not (and should never have been) usable as a fs type id, I need something to replace it with to detect a procfs vnode. Checking for VFCF_SYNTHETIC lumps devfs and fdescfs in with procfs and thus programs like su no longer work (because stdin is /dev/tty which is on devfs which, like procfs, has VFCF_SYNTHETIC set). Another possibility I considered was checking for VFCF_SYNTHETIC and vtype != VCHR (since procfs uses standard VDIR/VREG files). This didn't work either (I was able to hang the system with "su < /proc/curproc/mem"). I need two things: 1. To know all the filesystem types that are unsafe for set[ug]id programs with open descriptors on 0-2. Procfs is one, but there are probably others. Any fs where the semantics of the fd change across an exec is suspect. 2. A way to uniquely identify those fs types via a vnode. This may need to be a new flag somewhere (say, struct vfsconf). Pseudofs already uses PFS_PROCDEP but this never gets propagated to a vnode. -Nate On Fri, 13 Sep 2002, Terry Lambert wrote: > Nate Lawson wrote: > > For those just tuning in, if a set[ug]id program has /proc/mumble open on > > fds 0-2, it's possible it could inadvertently write to them, causing a > > crash. The check is_unsafe() in kern_descrip.c handles this case. > > > > I changed it to use VFCF_SYNTHETIC instead but that is not right -- > > fdescfs and devfs (think: /dev/fd/*, /dev/tty) are also synthetic. And > > what about portal ... ? > > > > What is the 'right' way to keep sugid programs from crashing the system > > with open 0-2 fds? > > Hook 1 and 2, which are output fd's, to /dev/null, if you *must* > have them open. > > -- Terry > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0209131042460.27416-100000>