Date: Thu, 14 Aug 1997 13:40:54 -0700 (PDT) From: Sean Eric Fagan <sef@FreeBSD.ORG> To: security@FreeBSD.ORG Subject: Since people didn't save the procfs patches Message-ID: <199708142040.NAA01094@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
when I sent them out, and did not grab the new files, here they are again.
These are -current; they should apply pretty easily to 2.2-ANYTHING,
however -- the procfs files don't change all that often most of the time ;).
Index: procfs.h
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- procfs.h 1997/02/22 09:40:26 1.15
+++ procfs.h 1997/08/12 04:34:27 1.16
@@ -37,7 +37,7 @@
* @(#)procfs.h 8.9 (Berkeley) 5/14/95
*
* From:
- * $Id: procfs.h,v 1.15 1997/02/22 09:40:26 peter Exp $
+ * $Id: procfs.h,v 1.16 1997/08/12 04:34:27 sef Exp $
*/
/*
@@ -85,6 +85,18 @@
(bcmp((s), (cnp)->cn_nameptr, (len)) == 0))
#define KMEM_GROUP 2
+
+/*
+ * Check to see whether access to target process is allowed
+ * Evaluates to 1 if access is allowed.
+ */
+#define CHECKIO(p1, p2) \
+ ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \
+ ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \
+ ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \
+ ((p2)->p_flag & P_SUGID) == 0) || \
+ (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0))
+
/*
* Format of a directory entry in /proc, ...
* This must map onto struct dirent (see <dirent.h>)
Index: procfs_mem.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_mem.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- procfs_mem.c 1997/08/02 14:32:14 1.26
+++ procfs_mem.c 1997/08/12 04:34:28 1.27
@@ -37,7 +37,7 @@
*
* @(#)procfs_mem.c 8.5 (Berkeley) 6/15/94
*
- * $Id: procfs_mem.c,v 1.26 1997/08/02 14:32:14 bde Exp $
+ * $Id: procfs_mem.c,v 1.27 1997/08/12 04:34:28 sef Exp $
*/
/*
@@ -276,6 +276,23 @@
if (uio->uio_resid == 0)
return (0);
+
+ /*
+ * XXX
+ * We need to check for KMEM_GROUP because ps is sgid kmem;
+ * not allowing it here causes ps to not work properly. Arguably,
+ * this is a bug with what ps does. We only need to do this
+ * for Pmem nodes, and only if it's reading. This is still not
+ * good, as it may still be possible to grab illicit data if
+ * a process somehow gets to be KMEM_GROUP. Note that this also
+ * means that KMEM_GROUP can't change without editing procfs.h!
+ * All in all, quite yucky.
+ */
+
+ if (!CHECKIO(curp, p) &&
+ !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP &&
+ uio->uio_rw == UIO_READ))
+ return EPERM;
return (procfs_rwmem(p, uio));
}
Index: procfs_regs.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_regs.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- procfs_regs.c 1997/08/02 14:32:16 1.7
+++ procfs_regs.c 1997/08/12 04:34:29 1.8
@@ -37,7 +37,7 @@
* @(#)procfs_regs.c 8.4 (Berkeley) 6/15/94
*
* From:
- * $Id: procfs_regs.c,v 1.7 1997/08/02 14:32:16 bde Exp $
+ * $Id: procfs_regs.c,v 1.8 1997/08/12 04:34:29 sef Exp $
*/
#include <sys/param.h>
@@ -60,6 +60,8 @@
char *kv;
int kl;
+ if (!CHECKIO(curp, p))
+ return EPERM;
kl = sizeof(r);
kv = (char *) &r;
Index: procfs_vnops.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_vnops.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- procfs_vnops.c 1997/08/02 14:32:20 1.30
+++ procfs_vnops.c 1997/08/12 04:34:30 1.31
@@ -36,7 +36,7 @@
*
* @(#)procfs_vnops.c 8.18 (Berkeley) 5/21/95
*
- * $Id: procfs_vnops.c,v 1.30 1997/08/02 14:32:20 bde Exp $
+ * $Id: procfs_vnops.c,v 1.31 1997/08/12 04:34:30 sef Exp $
*/
/*
@@ -127,16 +127,21 @@
} */ *ap;
{
struct pfsnode *pfs = VTOPFS(ap->a_vp);
+ struct proc *p1 = ap->a_p, *p2 = PFIND(pfs->pfs_pid);
+
+ if (p2 == NULL)
+ return ENOENT;
switch (pfs->pfs_type) {
case Pmem:
- if (PFIND(pfs->pfs_pid) == 0)
- return (ENOENT); /* was ESRCH, jsp */
-
if ((pfs->pfs_flags & FWRITE) && (ap->a_mode & O_EXCL) ||
(pfs->pfs_flags & O_EXCL) && (ap->a_mode & FWRITE))
return (EBUSY);
+ if (!CHECKIO(p1, p2) &&
+ (p1->p_cred->pc_ucred->cr_gid != KMEM_GROUP))
+ return EPERM;
+
if (ap->a_mode & FWRITE)
pfs->pfs_flags = ap->a_mode & (FWRITE|O_EXCL);
@@ -194,7 +199,6 @@
struct proc *a_p;
} */ *ap;
{
-
return (ENOTTY);
}
Index: procfs_fpregs.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/procfs_fpregs.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- procfs_fpregs.c 1997/08/02 14:32:11 1.7
+++ procfs_fpregs.c 1997/08/12 05:23:51 1.8
@@ -37,7 +37,7 @@
* @(#)procfs_fpregs.c 8.2 (Berkeley) 6/15/94
*
* From:
- * $Id: procfs_fpregs.c,v 1.7 1997/08/02 14:32:11 bde Exp $
+ * $Id: procfs_fpregs.c,v 1.8 1997/08/12 05:23:51 sef Exp $
*/
#include <sys/param.h>
@@ -60,6 +60,8 @@
char *kv;
int kl;
+ if (!CHECKIO(curp, p))
+ return EPERM;
kl = sizeof(r);
kv = (char *) &r;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708142040.NAA01094>