Date: Fri, 27 Aug 1999 15:04:19 -0700 (PDT) From: dima@best.net (Dima Ruban) To: imp@village.org (Warner Losh) Cc: ludwigp@bigfoot.com (Ludwig Pummer), freebsd-security@FreeBSD.ORG Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Message-ID: <199908272204.PAA09830@burka.rdy.com> In-Reply-To: <199908272152.PAA76258@harmony.village.org> from Warner Losh at "Aug 27, 1999 03:52:43 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh writes:
> In message <37C6C42E.78E600F4@bigfoot.com> Ludwig Pummer writes:
> : It was pointed out yesterday that 3 conditions need to be present for
> : this to be exploitable, and 2.2.8 doesn't have at least one of the
> : conditions (core dump won't follow symlinks in 2.2.8).
>
> Others have pointed out to me that 2.x will, indeed, follow symlinks.
> I don't have a system handy that I can test on (all my 2.x systems
> have core dumps turned off completely because they are on ultra-tiny
> disks).
That was exactly my problem (coredump are disabled). Sorry about that.
RELENG_2_2 is indeed vulnerable, and the patch is ready. As soon as I
get a review, I'll commit it.
Patch is attached.
>
> Warner
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
-- dima
*** sys/LINK/fcntl.h Wed Dec 18 05:08:08 1996
--- sys/fcntl.h Fri Aug 27 14:39:26 1999
***************
*** 84,89 ****
--- 84,90 ----
#define O_EXLOCK 0x0020 /* open with exclusive file lock */
#define O_ASYNC 0x0040 /* signal pgrp when data ready */
#define O_FSYNC 0x0080 /* synchronous writes */
+ #define O_NOFOLLOW 0x0100 /* don't follow symlinks */
#endif
#define O_CREAT 0x0200 /* create if nonexistent */
#define O_TRUNC 0x0400 /* truncate to zero length */
*** kern/LINK/kern_sig.c Sat Dec 21 10:57:24 1996
--- kern/kern_sig.c Fri Aug 27 14:38:25 1999
***************
*** 1241,1249 ****
p->p_rlimit[RLIMIT_CORE].rlim_cur)
return (EFAULT);
sprintf(name, "%s.core", p->p_comm);
! NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p);
if ((error = vn_open(&nd,
! O_CREAT | FWRITE, S_IRUSR | S_IWUSR)))
return (error);
vp = nd.ni_vp;
--- 1241,1249 ----
p->p_rlimit[RLIMIT_CORE].rlim_cur)
return (EFAULT);
sprintf(name, "%s.core", p->p_comm);
! NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p);
if ((error = vn_open(&nd,
! O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR)))
return (error);
vp = nd.ni_vp;
*** kern/LINK/vfs_vnops.c Sat Mar 8 07:16:18 1997
--- kern/vfs_vnops.c Fri Aug 27 14:37:01 1999
***************
*** 87,93 ****
if (fmode & O_CREAT) {
ndp->ni_cnd.cn_nameiop = CREATE;
ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF;
! if ((fmode & O_EXCL) == 0)
ndp->ni_cnd.cn_flags |= FOLLOW;
error = namei(ndp);
if (error)
--- 87,93 ----
if (fmode & O_CREAT) {
ndp->ni_cnd.cn_nameiop = CREATE;
ndp->ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF;
! if ((fmode & O_EXCL) == 0 && (fmode & O_NOFOLLOW) == 0)
ndp->ni_cnd.cn_flags |= FOLLOW;
error = namei(ndp);
if (error)
***************
*** 119,125 ****
}
} else {
ndp->ni_cnd.cn_nameiop = LOOKUP;
! ndp->ni_cnd.cn_flags = FOLLOW | LOCKLEAF;
error = namei(ndp);
if (error)
return (error);
--- 119,126 ----
}
} else {
ndp->ni_cnd.cn_nameiop = LOOKUP;
! ndp->ni_cnd.cn_flags =
! ((fmode & O_NOFOLLOW) ? NOFOLLOW : FOLLOW) | LOCKLEAF;
error = namei(ndp);
if (error)
return (error);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908272204.PAA09830>