From owner-cvs-all Thu Apr 18 21: 2:19 2002 Delivered-To: cvs-all@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 0578C37B421; Thu, 18 Apr 2002 21:01:57 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g3J41tH53132; Thu, 18 Apr 2002 22:01:56 -0600 (MDT) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g3J41tx10847; Thu, 18 Apr 2002 22:01:55 -0600 (MDT) (envelope-from imp@village.org) Date: Thu, 18 Apr 2002 22:01:25 -0600 (MDT) Message-Id: <20020418.220125.06947209.imp@village.org> To: wollman@lcs.mit.edu Cc: nectar@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys filedesc.h From: "M. Warner Losh" In-Reply-To: <200204190309.g3J39tE69057@khavrinen.lcs.mit.edu> References: <200204190045.g3J0jUY59526@freefall.freebsd.org> <200204190309.g3J39tE69057@khavrinen.lcs.mit.edu> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message: <200204190309.g3J39tE69057@khavrinen.lcs.mit.edu> Garrett Wollman writes: : < said: : : > When exec'ing a set[ug]id program, make sure that the stdio file descriptors : > (0, 1, 2) are allocated by opening /dev/null for any which are not already : > open. : : >shudder< : : This seems completely and utterly broken to me. OpenBSD did this two years ago, and nothing has busted. The problem is that it can't be done in userland. I can always create a shell that leaves stderr unopened. The program in question opens a file (it gets fd 2 due to how unix works). Sometime later on in the run, you force an error to happen. The error message gets written out on stderr, splatting this file. For a setuid program, this represents a security hole. There are many other examples than this one. There is no other way to fix this than in the kernel... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message