From owner-freebsd-security Fri Aug 15 19:23:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA02584 for security-outgoing; Fri, 15 Aug 1997 19:23:31 -0700 (PDT) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA02579 for ; Fri, 15 Aug 1997 19:23:24 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id TAA07251; Fri, 15 Aug 1997 19:22:26 -0700 (PDT) Message-Id: <199708160222.TAA07251@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd007244; Sat Aug 16 02:22:19 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH To: Peter Champas cc: security@freebsd.org Subject: Re: Since people didn't save the procfs patches In-reply-to: Your message of "Fri, 15 Aug 1997 10:57:19 +1000." <33F3A96F.C6D7C46F@besys.net.au> Date: Fri, 15 Aug 1997 19:22:18 -0700 From: Cy Schubert Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > This is a multi-part message in MIME format. > --------------16146B8AFABDB64EA0E5C1A6 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > Sean Eric Fagan wrote: > > > > when I sent them out, and did not grab the new files, here they are > > again. > > These are -current; they should apply pretty easily to 2.2-ANYTHING, > > however -- the procfs files don't change all that often most of the > > time ;). > > retrieving revision 1.15 > Call me stupid and But 2.2-ANYTHING, is not entirly true (unless I > missed somthing) cause most of the files being patched look as though > they are 2 revisions behind, and I got rejections when I did the patch. > I am Running 2.2.1 > > Mind you I still don't know how to compile procfs source so any help > would be great.. The patched sources for 2.2.2R are available via cvsup. I took the liberty of getting the patched procfs sources and creating a diff file for anyone running 2.2.2R as shipped on the CDROM. They do fix the problem. I'm not sure whether the enclosed patches will work on 2.2.1. Only in miscfs/procfs: CVS diff -ur miscfs/procfs/procfs.h /opt/CVSup/usr/src/sys/miscfs/procfs/procfs.h --- miscfs/procfs/procfs.h Tue Jul 2 06:38:07 1996 +++ /opt/CVSup/usr/src/sys/miscfs/procfs/procfs.h Tue Aug 12 08:52:15 1997 @@ -36,7 +36,7 @@ * * @(#)procfs.h 8.6 (Berkeley) 2/3/94 * - * $Id: procfs.h,v 1.12 1996/07/02 13:38:07 dyson Exp $ + * $Id: procfs.h,v 1.12.2.1 1997/08/12 04:45:20 sef Exp $ */ /* @@ -83,6 +83,18 @@ (bcmp((s), (cnp)->cn_nameptr, (len)) == 0)) #define KMEM_GROUP 2 + +/* + * Check to see whether access to target process is allowed + * Evaluates to 1 if access is allowed. + */ +#define CHECKIO(p1, p2) \ + ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \ + ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \ + ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \ + ((p2)->p_flag & P_SUGID) == 0) || \ + (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0)) + /* * Format of a directory entry in /proc, ... * This must map onto struct dirent (see ) diff -ur miscfs/procfs/procfs_fpregs.c /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_fpregs.c --- miscfs/procfs/procfs_fpregs.c Wed Jan 24 10:40:56 1996 +++ /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_fpregs.c Tue Aug 12 08:52:18 1997 @@ -36,7 +36,7 @@ * * @(#)procfs_fpregs.c 8.1 (Berkeley) 1/27/94 * - * $Id: procfs_fpregs.c,v 1.3 1996/01/24 18:40:56 peter Exp $ + * $Id: procfs_fpregs.c,v 1.3.4.1 1997/08/12 05:24:20 sef Exp $ */ #include @@ -62,6 +62,8 @@ char *kv; int kl; + if (!CHECKIO(curp, p)) + return EPERM; kl = sizeof(r); kv = (char *) &r; diff -ur miscfs/procfs/procfs_mem.c /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_mem.c --- miscfs/procfs/procfs_mem.c Wed Oct 23 19:47:05 1996 +++ /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_mem.c Tue Aug 12 08:52:18 1997 @@ -37,7 +37,7 @@ * * @(#)procfs_mem.c 8.4 (Berkeley) 1/21/94 * - * $Id: procfs_mem.c,v 1.20 1996/10/24 02:47:05 dyson Exp $ + * $Id: procfs_mem.c,v 1.20.2.1 1997/08/12 04:45:23 sef Exp $ */ /* @@ -300,6 +300,23 @@ if (uio->uio_resid == 0) return (0); + /* + * XXX + * We need to check for KMEM_GROUP because ps is sgid kmem; + * not allowing it here causes ps to not work properly. Arguably, + * this is a bug with what ps does. We only need to do this + * for Pmem nodes, and only if it's reading. This is still not + * good, as it may still be possible to grab illicit data if + * a process somehow gets to be KMEM_GROUP. Note that this also + * means that KMEM_GROUP can't change without editing procfs.h! + * All in all, quite yucky. + */ + + if (!CHECKIO(curp, p) && + !(curp->p_cred->pc_ucred->cr_gid == KMEM_GROUP && + uio->uio_rw == UIO_READ)) + return EPERM; + error = procfs_rwmem(p, uio); return (error); diff -ur miscfs/procfs/procfs_regs.c /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_regs.c --- miscfs/procfs/procfs_regs.c Wed Jan 24 10:41:25 1996 +++ /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_regs.c Tue Aug 12 08:52:18 1997 @@ -36,7 +36,7 @@ * * @(#)procfs_regs.c 8.3 (Berkeley) 1/27/94 * - * $Id: procfs_regs.c,v 1.3 1996/01/24 18:41:25 peter Exp $ + * $Id: procfs_regs.c,v 1.3.4.1 1997/08/12 04:45:25 sef Exp $ */ #include @@ -62,6 +62,8 @@ char *kv; int kl; + if (!CHECKIO(curp, p)) + return EPERM; kl = sizeof(r); kv = (char *) &r; diff -ur miscfs/procfs/procfs_subr.c /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_subr.c --- miscfs/procfs/procfs_subr.c Sat Aug 31 09:52:39 1996 +++ /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_subr.c Sat Jun 21 16:23:55 1997 @@ -36,7 +36,7 @@ * * @(#)procfs_subr.c 8.4 (Berkeley) 1/27/94 * - * $Id: procfs_subr.c,v 1.10 1996/08/31 16:52:39 bde Exp $ + * $Id: procfs_subr.c,v 1.10.2.1 1997/06/21 16:16:34 alex Exp $ */ #include @@ -236,6 +236,8 @@ p = PFIND(pfs->pfs_pid); if (p == 0) return (EINVAL); + if (p->p_pid == 1 && securelevel > 0 && uio->uio_rw == UIO_WRITE) + return(EACCES); while (pfs->pfs_lockowner) { tsleep(&pfs->pfs_lockowner, PRIBIO, "pfslck", 0); diff -ur miscfs/procfs/procfs_vnops.c /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_vnops.c --- miscfs/procfs/procfs_vnops.c Tue Sep 3 07:23:10 1996 +++ /opt/CVSup/usr/src/sys/miscfs/procfs/procfs_vnops.c Tue Aug 12 08:52:19 1997 @@ -36,7 +36,7 @@ * * @(#)procfs_vnops.c 8.6 (Berkeley) 2/7/94 * - * $Id: procfs_vnops.c,v 1.24 1996/09/03 14:23:10 bde Exp $ + * $Id: procfs_vnops.c,v 1.24.2.1 1997/08/12 04:45:27 sef Exp $ */ /* @@ -120,16 +120,21 @@ struct vop_open_args *ap; { struct pfsnode *pfs = VTOPFS(ap->a_vp); + struct proc *p1 = ap->a_p, *p2 = PFIND(pfs->pfs_pid); + + if (p2 == NULL) + return ENOENT; switch (pfs->pfs_type) { case Pmem: - if (PFIND(pfs->pfs_pid) == 0) - return (ENOENT); /* was ESRCH, jsp */ - if (((pfs->pfs_flags & FWRITE) && (ap->a_mode & O_EXCL)) || ((pfs->pfs_flags & O_EXCL) && (ap->a_mode & FWRITE))) return (EBUSY); + if (!CHECKIO(p1, p2) && + (p1->p_cred->pc_ucred->cr_gid != KMEM_GROUP)) + return EPERM; + if (ap->a_mode & FWRITE) pfs->pfs_flags = ap->a_mode & (FWRITE|O_EXCL); @@ -176,7 +181,6 @@ procfs_ioctl(ap) struct vop_ioctl_args *ap; { - return (ENOTTY); } Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."