From owner-freebsd-security@FreeBSD.ORG Mon Oct 1 10:49:17 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B086C106566B for ; Mon, 1 Oct 2012 10:49:17 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 449548FC0C for ; Mon, 1 Oct 2012 10:49:16 +0000 (UTC) Received: from skuns.kiev.zoral.com.ua (localhost [127.0.0.1]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id q91AnE2W024214; Mon, 1 Oct 2012 13:49:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5) with ESMTP id q91An1uD016572; Mon, 1 Oct 2012 13:49:01 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.5/8.14.5/Submit) id q91An1Hm016571; Mon, 1 Oct 2012 13:49:01 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 1 Oct 2012 13:49:01 +0300 From: Konstantin Belousov To: Erik Cederstrand Message-ID: <20121001104901.GJ35915@deviant.kiev.zoral.com.ua> References: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a0kvDU9Y5772Ejco" Content-Disposition: inline In-Reply-To: <9DD86238-51C8-4F38-B7EB-BD773039888B@cederstrand.dk> User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.0 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: "freebsd-security@freebsd.org" Subject: Re: Opinion on checking return value of setuid(getuid())? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 10:49:17 -0000 --a0kvDU9Y5772Ejco Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 01, 2012 at 12:31:21PM +0200, Erik Cederstrand wrote: > I'm looking through the clang analyzer reports and found this one: http:/= /scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/report-R9ZgC= 6.html#EndPath >=20 > It's complaining that, if setuid() fails for some reason, the process wil= l continue with root privileges because the process is suid root. >=20 > At first glance, it seems unnecessary to check the return value of "setui= d(getuid())" since the user should always be able to drop privileges to its= elf. So I filed this bug with LLVM: http://llvm.org/bugs/show_bug.cgi?id=3D= 13979 >=20 > It turns out that setuid() *may* fail if the user hits its process limit.= Apparently FreeBSD doesn't check the limit in the specific setuid(getuid()= ) case (I can't find the code anywhere right now) so this is not an issue, = but Linux does. However, if FreeBSD decides to change the setuid() implemen= tation at some point, the issue may surface again. >=20 > A simple fix would be something like: >=20 > Index: /freebsd/repos/head_scratch/src/sbin/ping/ping.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- /freebsd/repos/head_scratch/src/sbin/ping/ping.c (revision 240960) > +++ /freebsd/repos/head_scratch/src/sbin/ping/ping.c (working copy) > @@ -255,7 +255,8 @@ > s =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP); > sockerrno =3D errno; > =20 > - setuid(getuid()); > + if (setuid(getuid()) !=3D 0) > + err(EX_NOPERM, "setuid() failed"); > uid =3D getuid(); > =20 > alarmtimeout =3D df =3D preload =3D tos =3D 0; >=20 >=20 > There's an alternative approach for NetBSD with a patch to kern_exec.c he= re: http://mail-index.netbsd.org/tech-security/2008/01/12/msg000026.html bu= t I have no idea if this applies to FreeBSD. >=20 > I'd like an opinion on which way to go before filing PRs because we have = around 200 of these warnings in the FreeBSD repo. >=20 > Thanks, > Erik_______________________________________________ setuid() might also fail for other reasons, e.g. due to custom MAC module. In case of ping, does the failure of dropping the suid bit is important ? --a0kvDU9Y5772Ejco Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAlBpdR0ACgkQC3+MBN1Mb4ggdgCgsSvcMGGhjl+hLr2f4R7jfQNs jnwAn2E+gAplg2dhGGUcWqMIpmQf+/l7 =68KI -----END PGP SIGNATURE----- --a0kvDU9Y5772Ejco--