From owner-cvs-all  Thu Apr 18 20:20: 5 2002
Delivered-To: cvs-all@freebsd.org
Received: from finntroll.newgold.net (Durham-ar1-4-64-252-019.dsl.genuity.net [4.64.252.19])
	by hub.freebsd.org (Postfix) with SMTP id 816BA37B419
	for <cvs-all@FreeBSD.org>; Thu, 18 Apr 2002 20:19:56 -0700 (PDT)
Received: (qmail 3618 invoked by uid 1001); 19 Apr 2002 03:26:11 -0000
Date: Fri, 19 Apr 2002 03:26:11 +0000
From: "J. Mallett" <jmallett@FreeBSD.ORG>
To: Garance A Drosihn <drosih@rpi.edu>
Cc: Garrett Wollman <wollman@lcs.mit.edu>,
	Jacques Vidrine <nectar@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys          filedesc.h
Message-ID: <20020419032610.GG30498@FreeBSD.ORG>
References: <200204190045.g3J0jUY59526@freefall.freebsd.org> <200204190309.g3J39tE69057@khavrinen.lcs.mit.edu> <p05111709b8e53bfd88f7@[128.113.24.47]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p05111709b8e53bfd88f7@[128.113.24.47]>
User-Agent: Mutt/1.3.27i
Organisation: FreeBSD <http://FreeBSD.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Thu, Apr 18, 2002 at 11:16:45PM -0400, Garance A Drosihn wrote:
> At 11:09 PM -0400 4/18/02, Garrett Wollman wrote:
> ><<On Thu, 18 Apr 2002 17:45:30 -0700 (PDT), Jacques Vidrine 
> ><nectar@FreeBSD.org> said:
> >
> > >   When exec'ing a set[ug]id program, make sure that the stdio
> > >   file descriptors (0, 1, 2) are allocated by opening /dev/null
> > >   for any which are not already open.
> >
> ><>shudder<>
> >
> >This seems completely and utterly broken to me.
> 
> I don't see how it would break anything, although I'm not
> sure why this is something that needs to be done for set[ug]id
> programs and not for others?  Is this trying to avoid error
> conditions that would pull the rug out from under such a
> program "at a bad time"?
> 

If you know the codepath of a program, you can close a number of file
descriptors, and ones specifically for reading or writing, and without fail
cause corruption of a file, dump information of your choice into a file,
or cause information to be incorrectly read from a file.

I can give you specific examples of how this could be abused, but it
doesn't really take much imagination.
-- 
jmallett@FreeBSD.org   | C, MIPS, POSIX, UNIX, BSD, IRC Geek.
http://www.FreeBSD.org | The Power to Serve
"We all need mirrors to remind ourselves who we are -- I'm no different."

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message