From owner-cvs-all  Mon Nov 29 15:35:34 1999
Delivered-To: cvs-all@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP
	id B3EAA14BC4; Mon, 29 Nov 1999 15:35:30 -0800 (PST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA06240;
	Mon, 29 Nov 1999 16:35:24 -0700 (MST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA97810; Mon, 29 Nov 1999 16:35:51 -0700 (MST)
Message-Id: <199911292335.QAA97810@harmony.village.org>
To: Matthew Dillon <dillon@apollo.backplane.com>
Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h 
Cc: Kris Kennaway <kris@hub.freebsd.org>,
	Dan Moschuk <dan@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
In-reply-to: Your message of "Mon, 29 Nov 1999 14:39:46 PST."
		<199911292239.OAA11977@apollo.backplane.com> 
References: <199911292239.OAA11977@apollo.backplane.com>  <Pine.BSF.4.21.9911291431310.19254-100000@hub.freebsd.org> 
Date: Mon, 29 Nov 1999 16:35:51 -0700
From: Warner Losh <imp@village.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

In message <199911292239.OAA11977@apollo.backplane.com> Matthew Dillon writes:
:     Not really.  Example:  fork/exec an suid program.  You now know what
:     the pid is (the return valud of the fork).  There is no need to guess,
:     and a randomized pid won't help you.  In fact, you can TSTP the program
:     relatively easily since you are probably still the controlling terminal.
:     You can effectively exploit the window even without TSTPing or STOPing
:     the program.
: 
:     The only time a randomized pid would help you is with historical 
:     cron root-run code.  But all of those holes have been fixed (we believe).

I don't think this is true.  There are tmp file races with things like
gcc which would allow one to insert arbitrary code into a file being
compile, should one wish to do so and can guess things.  At least
there used to be, I don't know if this is the case still.  When you
are racing others on the system w/o this change you had a small range
of pids to choose from.  After this change there is a large range.
some of the races are to overwrite an arbitrary file on the system,
while others are to provide bad data to a process running under a
different uid to do bad things to that uid...

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message