From owner-freebsd-bugs Tue Sep 8 00:10:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA13866 for freebsd-bugs-outgoing; Tue, 8 Sep 1998 00:10:05 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA13816 for ; Tue, 8 Sep 1998 00:10:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id AAA17788; Tue, 8 Sep 1998 00:10:00 -0700 (PDT) Received: from andrew1.lnk.telstra.net (andrew1.lnk.telstra.net [139.130.51.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA12817 for ; Tue, 8 Sep 1998 00:05:53 -0700 (PDT) (envelope-from cagney@tpgi.com.au) Received: (from cagney@localhost) by andrew1.lnk.telstra.net (8.8.8/8.7.3) id RAA10643; Tue, 8 Sep 1998 17:05:47 +1000 (EST) Message-Id: <199809080705.RAA10643@andrew1.lnk.telstra.net> Date: Tue, 8 Sep 1998 17:05:47 +1000 (EST) From: Andrew Cagney Reply-To: cagney@tpgi.com.au To: FreeBSD-gnats-submit@FreeBSD.ORG, cagney@andrew1.lnk.telstra.net X-Send-Pr-Version: 3.2 Subject: kern/7858: GDB (ptrace?) can touch almost any executable Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7858 >Category: kern >Synopsis: GDB (ptrace?) can touch almost any executable >Confidential: yes >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 8 00:10:00 PDT 1998 >Last-Modified: >Originator: Andrew Cagney >Organization: Un-organized >Release: FreeBSD 2.2.7-RELEASE i386 >Environment: FreeBSD b1.cygnus.com 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0: Fri Sep 4 16:47:02 EST 1998 cagney@b1.cygnus.com:/usr/src/sys/compile/B2 i386 Kernel is almost vanila (but that is probably what they all say :-). >Description: GDB can be used to change the modify/creation dates of files the user doesn't own. Suspect PTRACE security hole. >How-To-Repeat: Exibit 1: cagney@b1.cygnus.com$ cat ../devo/gdb/testsuite/gdb.base/reread2.c #include int x; void foo() { x++; printf("This is foo\n"); } int main() { #ifdef usestubs set_debug_traps (); breakpoint (); #endif foo(); return 0; } Compile exibit 1 with: cagney@b1.cygnus.com$ sudo gcc -g -o reread ../devo/gdb/testsuite/gdb.base/reread2.c Password: cagney@b1.cygnus.com$ ls -ldg reread -rwxr-xr-x 1 root wheel 11710 Sep 8 16:46 reread cagney@b1.cygnus.com$ whoami cagney cagney@b1.cygnus.com$ groups wheel network people cagney@b1.cygnus.com$ Check the files date: cagney@b1.cygnus.com$ date ; /bin/ls -lT reread Tue Sep 8 16:54:03 EST 1998 -rwxr-xr-x 1 root wheel 11710 Sep 8 16:52:57 1998 reread Run GDB vis: cagney@b1.cygnus.com$ /usr/bin/gdb ./reread ... GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc... (gdb) run Starting program: /home/scratch/freebsd-gdb/./reread This is foo Program exited normally. (gdb) Check the dates again: cagney@b1.cygnus.com$ date ; /bin/ls -lT reread Tue Sep 8 16:55:11 EST 1998 -rwxr-xr-x 1 root wheel 11710 Sep 8 16:52:57 1998 reread Until eventually (~30 seconds?). cagney@b1.cygnus.com$ date ; /bin/ls -lT reread Tue Sep 8 16:55:28 EST 1998 -rwxr-xr-x 1 root wheel 11710 Sep 8 16:55:27 1998 reread shows up.... >Fix: Good question! have fun, Andrew >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message