From owner-cvs-all  Thu Apr 18 21: 9: 1 2002
Delivered-To: cvs-all@freebsd.org
Received: from rover.village.org (rover.bsdimp.com [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9CF1C37B41D; Thu, 18 Apr 2002 21:08:51 -0700 (PDT)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.3/8.11.3) with ESMTP id g3J48oH53166;
	Thu, 18 Apr 2002 22:08:50 -0600 (MDT)
	(envelope-from imp@village.org)
Received: from localhost (warner@rover2.village.org [10.0.0.1])
	by harmony.village.org (8.11.6/8.11.6) with ESMTP id g3J48mx10884;
	Thu, 18 Apr 2002 22:08:49 -0600 (MDT)
	(envelope-from imp@village.org)
Date: Thu, 18 Apr 2002 22:08:19 -0600 (MDT)
Message-Id: <20020418.220819.38783712.imp@village.org>
To: drosih@rpi.edu
Cc: jmallett@FreeBSD.org, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c
 src/sys/sys filedesc.h
From: "M. Warner Losh" <imp@village.org>
In-Reply-To: <p0511170ab8e53dddf964@[128.113.24.47]>
References: <p05111709b8e53bfd88f7@[128.113.24.47]>
	<20020419032610.GG30498@FreeBSD.ORG>
	<p0511170ab8e53dddf964@[128.113.24.47]>
X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

In message: <p0511170ab8e53dddf964@[128.113.24.47]>
            Garance A Drosihn <drosih@rpi.edu> writes:
: Hmm.  Okay, I can see how this helps some.  But if we are
: talking about Evil(tm) programs which are exec-ing a
: set[ug]id program, then I would think the program could
: cause just as much evil havoc by assigning those descriptors
: to files that the program is not expecting them to be
: assigned to.  Like, perhaps, to a file that the program will
: have no access to.  How would that be "less evil" than having
: the descriptor assigned to nothing at all?

This is less of a problem than what I talked about earlier.  If I open
files on 0 1 or 2, I do it as "me" which is OK.  The security check is
already done by the time the privs are elevated.  But if, say, FD 2 is
closed, then the scenario that I talked about earlier could happen:
	The setuid program opens up some file that the user wouldn't
	otherwise be able to open.  It gets fd 2.  Now after this
	point the program does a write to stderr because of some
	error.  Often times the user affect the output.  If the setuid
	program uses err(), and the file in question is
	/etc/master.passwd, one could set argv[0] that looks like a
	password line with a uid of 0.  Then the user could change
	his/her password and get root.
There are other ways to exploit this as well.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message