From owner-freebsd-current  Mon Nov 18 22:49:36 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5FC2B37B401
	for <current@FreeBSD.ORG>; Mon, 18 Nov 2002 22:49:34 -0800 (PST)
Received: from smtp02.iprimus.net.au (smtp02.iprimus.net.au [210.50.76.70])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A78F743E77
	for <current@FreeBSD.ORG>; Mon, 18 Nov 2002 22:49:32 -0800 (PST)
	(envelope-from tim@robbins.dropbear.id.au)
Received: from dilbert.robbins.dropbear.id.au ([210.50.200.211]) by smtp02.iprimus.net.au with Microsoft SMTPSVC(5.0.2195.5600);
	 Tue, 19 Nov 2002 17:49:18 +1100
Received: from dilbert.robbins.dropbear.id.au (yy8mczw98x84yrkt@localhost [127.0.0.1])
	by dilbert.robbins.dropbear.id.au (8.12.6/8.12.6) with ESMTP id gAJ6leEi075943;
	Tue, 19 Nov 2002 17:47:48 +1100 (EST)
	(envelope-from tim@dilbert.robbins.dropbear.id.au)
Received: (from tim@localhost)
	by dilbert.robbins.dropbear.id.au (8.12.6/8.12.6/Submit) id gAJ6kqwY075915;
	Tue, 19 Nov 2002 17:46:52 +1100 (EST)
	(envelope-from tim)
Date: Tue, 19 Nov 2002 17:46:52 +1100
From: Tim Robbins <tjr@FreeBSD.ORG>
To: Kris Kennaway <kris@obsecurity.org>
Cc: current@FreeBSD.ORG
Subject: Re: Device permissions with DEVFS
Message-ID: <20021119174652.A74461@dilbert.robbins.dropbear.id.au>
References: <20021119050304.GA2608@rot13.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20021119050304.GA2608@rot13.obsecurity.org>; from kris@obsecurity.org on Mon, Nov 18, 2002 at 09:03:06PM -0800
X-OriginalArrivalTime: 19 Nov 2002 06:49:24.0210 (UTC) FILETIME=[CBD0FD20:01C28F97]
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Mon, Nov 18, 2002 at 09:03:06PM -0800, Kris Kennaway wrote:

> Something that needs to be addressed before 5.0 is the insecure
> default permissions on many devices.  For example, on my system, the
> following devices have insecure permissions on 5.0 (but not on 4.x
> with the default MAKEDEV settings):
> 
> crw-r--r--  1 root   operator  117,   0 Nov 18 14:49 acd0
> 
> crw-rw-rw-  1 root   wheel      21,   1 Nov 18 14:49 psm0
> 
> crw-rw-rw-  1 root   wheel     180,   0 Nov 18 14:49 nvidia0
> (This one isn't part of FreeBSD, but I might as well report it now)
> 
> crw-rw-rw-  1 root  wheel      30,   3 Nov 14 21:30 dsp0.0
> crw-rw-rw-  1 root  wheel      30, 0x00010003 Nov  8 23:38 dsp0.1
> crw-rw-rw-  1 root  wheel      30,   5 Nov  8 23:38 dspW0.0
> crw-rw-rw-  1 root  wheel      30, 0x00010005 Nov  8 23:38 dspW0.1
> crw-rw-rw-  1 root  wheel      30,  11 Nov  8 23:38 dspr0.0
> 
> These have the same permissions on 4.x, but they're still insecure
> (unprivileged users can read from a microphone).
> 
> I'm sure there are others I have missed.  Could everyone please check
> their /dev (better, check the kernel source)?

I'm glad you brought this up... I'd like to see /dev/devctl made mode 600
instead of 644 because it does not look very robust and because only one
devctl can be open at a time.

The two other security/reliability bugs I can see are that the async
(ioctl FIOASYNC) and non-blocking (ioctl FIONBIO) flags are not cleared
between when one process closes the device and another opens it. Leaving
the non-blocking flag set confuses devd(8) causing it to exit immediately.
Leaving the async I/O flag set could cause the kernel to try to send
SIGIO with a stale thread pointer, possibly leading to a panic or the
wrong thread getting the signal.

I suggest this patch...

 o More restrictive permissions on /dev/devctl (was 644, now 600)
 o Clear nonblock and async flags across open/close

Index: subr_bus.c
===================================================================
RCS file: /x/freebsd/src/sys/kern/subr_bus.c,v
retrieving revision 1.116
diff -u -r1.116 subr_bus.c
--- subr_bus.c	7 Nov 2002 22:38:04 -0000	1.116
+++ subr_bus.c	19 Nov 2002 06:14:06 -0000
@@ -248,7 +248,7 @@
 static void
 devinit(void)
 {
-	devctl_dev = make_dev(&dev_cdevsw, 0, 0, 0, 0644, "devctl");
+	devctl_dev = make_dev(&dev_cdevsw, 0, 0, 0, 0600, "devctl");
 	mtx_init(&devsoftc.mtx, "dev mtx", "devd", MTX_DEF);
 	cv_init(&devsoftc.cv, "dev cv");
 	TAILQ_INIT(&devsoftc.devq);
@@ -261,6 +261,9 @@
 		return (EBUSY);
 	/* move to init */
 	devsoftc.inuse = 1;
+	devsoftc.nonblock = 0;
+	devsoftc.async = 0;
+	devsoftc.async_td = NULL;
 	return (0);
 }
 

It looks like there are some races involving devsoftc, the softc mutex
should probably be locked around checking the inuse flag in devopen(),
around clearing it in devclose(), around setting async and async_td in
devioctl() FIOASYNC case, around checking inuse and async_td in
devaddq().


Tim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message