From owner-cvs-all  Thu Apr 18 20:30:19 2002
Delivered-To: cvs-all@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40])
	by hub.freebsd.org (Postfix) with ESMTP
	id 172A037B419; Thu, 18 Apr 2002 20:30:05 -0700 (PDT)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.12.1/8.12.1) with ESMTP id g3J3U3NH061582;
	Thu, 18 Apr 2002 23:30:03 -0400
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p0511170ab8e53dddf964@[128.113.24.47]>
In-Reply-To: <20020419032610.GG30498@FreeBSD.ORG>
References: <200204190045.g3J0jUY59526@freefall.freebsd.org>
 <200204190309.g3J39tE69057@khavrinen.lcs.mit.edu>
 <p05111709b8e53bfd88f7@[128.113.24.47]>
 <20020419032610.GG30498@FreeBSD.ORG>
Date: Thu, 18 Apr 2002 23:30:02 -0400
To: "J. Mallett" <jmallett@FreeBSD.ORG>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c
 src/sys/sys          filedesc.h
Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang)
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

At 3:26 AM +0000 4/19/02, J. Mallett wrote:
>On Thu, Apr 18, 2002 at 11:16:45PM -0400, Garance A Drosihn wrote:
>  > I don't see how it would break anything, although I'm not
>>  sure why this is something that needs to be done for set[ug]id
>>  programs and not for others?  Is this trying to avoid error
>>  conditions that would pull the rug out from under such a
>  > program "at a bad time"?
>
>If you know the codepath of a program, you can close a number
>of file descriptors, and ones specifically for reading or
>writing, and without fail cause corruption of a file, dump
>information of your choice into a file, or cause information
>to be incorrectly read from a file.
>
>I can give you specific examples of how this could be abused,
>but it doesn't really take much imagination.

Hmm.  Okay, I can see how this helps some.  But if we are
talking about Evil(tm) programs which are exec-ing a
set[ug]id program, then I would think the program could
cause just as much evil havoc by assigning those descriptors
to files that the program is not expecting them to be
assigned to.  Like, perhaps, to a file that the program will
have no access to.  How would that be "less evil" than having
the descriptor assigned to nothing at all?

[again, I'm just wondering here, I have no objection to
the change...  Thanks]

-- 
Garance Alistair Drosehn            =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message