From owner-freebsd-bugs@FreeBSD.ORG Sun May 8 20:20:07 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39DB016A4E6 for ; Sun, 8 May 2005 20:20:07 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D39C43D73 for ; Sun, 8 May 2005 20:20:07 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j48KK6ho053644 for ; Sun, 8 May 2005 20:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j48KK6Wi053643; Sun, 8 May 2005 20:20:06 GMT (envelope-from gnats) Resent-Date: Sun, 8 May 2005 20:20:06 GMT Resent-Message-Id: <200505082020.j48KK6Wi053643@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Michael Hohmuth Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ECF816A4E6 for ; Sun, 8 May 2005 20:15:46 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FA7F43D2D for ; Sun, 8 May 2005 20:15:45 +0000 (GMT) (envelope-from hohmuth@os.inf.tu-dresden.de) Received: from pD9E84120.dip0.t-ipconnect.de[217.232.65.32] (helo=olymp.sax.de) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1DUsBk1ATj-0008NC; Sun, 08 May 2005 22:15:44 +0200 Received: from olymp.sax.de (localhost [127.0.0.1]) by olymp.sax.de (8.12.9/8.13.3) with ESMTP id j48KHTNv007721 for ; Sun, 8 May 2005 22:17:29 +0200 (CEST) (envelope-from hohmuth@olymp.sax.de) Received: (from hohmuth@localhost) by olymp.sax.de (8.12.9/8.13.1/Submit) id j48KHTTQ007720; Sun, 8 May 2005 22:17:29 +0200 (CEST) (envelope-from hohmuth) Message-Id: <200505082017.j48KHTTQ007720@olymp.sax.de> Date: Sun, 8 May 2005 22:17:29 +0200 (CEST) From: Michael Hohmuth To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/80798: mount_portal pipe leaves file descriptors open for child processes X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Michael Hohmuth List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 20:20:07 -0000 >Number: 80798 >Category: bin >Synopsis: mount_portal pipe leaves file descriptors open for child processes >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 08 20:20:06 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Michael Hohmuth >Release: FreeBSD 4.11-STABLE i386 >Organization: none >Environment: System: FreeBSD olymp.sax.de 4.11-STABLE FreeBSD 4.11-STABLE #25: Thu May 5 22:49:15 CEST 2005 root@olymp.sax.de:/usr/obj/usr/src/sys/OLYMP i386 >Description: Commands invoked through the portal file system's "pipe" namespace inherit some file descriptors from the mount_portal daemon. This has two undesirable effects: 1. Files used by mount_portal, including the socket it uses for communicating with the kernel part of the portal file system, are available to the spawned command. This could be a security problem. 2. The inactive end of the pipe (stdin for programs whose output is read, and stdout for programs that are fed input) is wired to /dev/null. As this is hard or impossible to detect from within the program, it is virtually impossible to write programs that can act both as the read and the write end of the pipe. However, this type of program is desirable for programs acting as gateways or translators. >How-To-Repeat: Install a current copy of "lsof", the run the follwing commands (as any user): echo 'lsof -p $$' > /tmp/lsof cat '/p/pipe/bin/sh /tmp/lsof' You should see something like this: COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sh 7628 hohmuth cwd VDIR 116,196608 1024 2 / sh 7628 hohmuth rtd VDIR 116,196608 1024 2 / sh 7628 hohmuth txt VREG 116,196608 461440 44131 /bin/sh sh 7628 hohmuth 0u VCHR 2,2 0t35 21979 /dev/null sh 7628 hohmuth 1u PIPE 0xce0222a0 16384 ->0xce0223e0 sh 7628 hohmuth 2u PIPE 0xce0227a0 16384 ->0xce022020 sh 7628 hohmuth 3r VREG 116,196608 1070 22651 /etc/fstab sh 7628 hohmuth 5u unix 0xcc9bb140 0t0 /tmp/portalILOGROXwic sh 7628 hohmuth 10r VREG 253,0 11 56 /tmp/lsof As you can see, the spawned shell still has /etc/fstab and /tmp/portalILOGROXwic open (problem 1), and stdin is wired to /dev/null (problem 2). >Fix: To fix problem 1: Close (or do not inherit) all file descriptors >= 3 before execing the child program. To fix problem 2: Close the child program's stdin when ``reading from the program,'' or stdout when ``writing to the program,'' respectively. >Release-Note: >Audit-Trail: >Unformatted: