From owner-cvs-all Fri Apr 19 4:25:32 2002 Delivered-To: cvs-all@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id B498B37B400; Fri, 19 Apr 2002 04:25:17 -0700 (PDT) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [IPv6:fec0::1:12]) by Awfulhak.org (8.12.2/8.11.6) with ESMTP id g3JBPEEv087893; Fri, 19 Apr 2002 12:25:14 +0100 (BST) (envelope-from brian@freebsd-services.com) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.12.3/8.12.3) with ESMTP id g3JBPCSg072782; Fri, 19 Apr 2002 12:25:12 +0100 (BST) (envelope-from brian@freebsd-services.com) Message-Id: <200204191125.g3JBPCSg072782@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Garrett Wollman Cc: "J. Mallett" , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, brian@freebsd-services.com Subject: Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys filedesc.h In-Reply-To: Message from Garrett Wollman of "Fri, 19 Apr 2002 00:14:26 EDT." <200204190414.g3J4EQH69597@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 19 Apr 2002 12:25:12 +0100 From: Brian Somers Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > < said: > > > If you know the codepath of a program, you can close a number of file > > descriptors, and ones specifically for reading or writing, and without fail > > cause corruption of a file, dump information of your choice into a file, > > or cause information to be incorrectly read from a file. > > Any privileged process which blindly trusts its file descriptors to > not be closed is seriously broken. > > It's not clear whether POSIX allows this behavior. I've submitted an > aardvark requesting clarification. I agree with Garrett. This change is *very* broken. Warner said: : The setuid program opens up some file that the user wouldn't : otherwise be able to open. It gets fd 2. Now after this : point the program does a write to stderr because of some : error. Often times the user affect the output. If the setuid : program uses err(), and the file in question is : /etc/master.passwd, one could set argv[0] that looks like a : password line with a uid of 0. Then the user could change : his/her password and get root. Agreed, a program that does this is broken, but I believe the program needs to be fixed, not the kernel. Also, you've broken syntax such as ``sh prog 2>&-''. Garrett said: : fd = open(...) : close(1); : dup(fd); : : and have it work. (These programs are broken anyway -- the Standard : does not guarantee any particular order of fd allocation.) From dup(2): Dup() duplicates an existing object descriptor and returns its value to the calling process (newd = dup(oldd)). The argument oldd is a small non-negative integer index in the per-process descriptor table. The value must be less than the size of the table, which is returned by getdtablesize(2). The new descriptor returned by the call is the lowest numbered descriptor currently not in use by the process. Even if the standard doesn't guarantee the lowest descriptor, our man pages do (as do NetBSD and OpenBSD's). > -GAWollman -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message