Date: Tue, 20 Jul 1999 00:40:02 -0700 (PDT) From: <jkoshy@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/3546: ktrace works even if no read permission Message-ID: <199907200740.AAA89974@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/3546; it has been noted by GNATS.
From: <jkoshy@FreeBSD.org>
To: freebsd-gnats-submit@freebsd.org, mfuhr@dimensional.com
Cc: phk@FreeBSD.org, bde@FreeBSD.org
Subject: Re: kern/3546: ktrace works even if no read permission
Date: Tue, 20 Jul 1999 00:36:08 -0700 (PDT)
The patch to disallow `ktrace' on executables w/o read perms
turns out to be simple, and has no effect when tracing is not
in enabled. Here is a excerpt from a session with the new
functionality:
(nemesis) $ ./a.out
hello world
(nemesis) $ ll a.out
343 -r-xr-xr-x 1 jkoshy wheel 3308 Jul 20 12:18 a.out
(nemesis) $ ktrace ./a.out
hello world
(nemesis) $ chmod a-r ./a.out
(nemesis) $ ./a.out
hello world
(nemesis) $ ktrace ./a.out
ktrace: exec of './a.out' failed: Permission denied
(nemesis) $ rm ktrace.out
(nemesis) $ su test -c "ktrace ./a.out"
Password:
ktrace: exec of './a.out' failed: Permission denied
(nemesis) $ chmod a+r ./a.out
(nemesis) $ su test -c "rm ktrace.out"
Password:
(nemesis) $ su test -c "ktrace ./a.out"
Password:
hello world
If the patch enclosed passes review, I'd be happy to commit it and make
the relevant changes to the manual pages.
Regards,
Koshy
<jkoshy@freebsd.org>
Index: kern_exec.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v
retrieving revision 1.99
diff -u -r1.99 kern_exec.c
--- kern_exec.c 1999/04/27 11:15:55 1.99
+++ kern_exec.c 1999/07/20 12:49:53
@@ -26,6 +26,8 @@
* $Id: kern_exec.c,v 1.99 1999/04/27 11:15:55 phk Exp $
*/
+#include "opt_ktrace.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
@@ -48,6 +50,9 @@
#include <sys/sysctl.h>
#include <sys/vnode.h>
#include <sys/buf.h>
+#ifdef KTRACE
+#include <sys/ktrace.h>
+#endif
#include <vm/vm.h>
#include <vm/vm_param.h>
@@ -683,6 +688,18 @@
if (error)
return (error);
+#ifdef KTRACE
+ /*
+ * If the current process is being traced, we must have
+ * read permissions to the image being exec'ed.
+ */
+
+ if ((p->p_traceflag & KTRFAC_MASK) &&
+ ((error = VOP_ACCESS(vp, VREAD, p->p_ucred, p)) != 0))
+ return EACCES;
+#endif
+
+
/*
* Check number of open-for-writes on the file and deny execution
* if there are any.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907200740.AAA89974>