Date: Mon, 4 Aug 1997 14:57:06 -0500 (EST) From: nirva@ishiboo.com To: sef@kithrup.com (Sean Eric Fagan) Cc: bde@zeta.org.au, tqbf@enteract.com, security@FreeBSD.ORG Subject: Re: Proposed alternate patch for the rfork vulnerability Message-ID: <19970804195706.9133.qmail@ishiboo.com> In-Reply-To: <199708041703.KAA16417@kithrup.com> from Sean Eric Fagan at "Aug 4, 97 10:03:55 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Sean Eric Fagan stands accused of saying:
> I'm sorry, Bruce, but having the file descriptor sharing break on
> exec is the ONLY way to have it make sense, let alone be secure.
>
Breaking file descriptor sharing is breaking the established sematics
of rfork().
Note that when exec()ing an suid/sgid program while being ptrace()ed, the
suid/sgid bit is dropped, not the functionality of ptrace().
kern_exec.c:
/*
* * Disable setuid/setgid if the filesystem prohibits it or if
* * the process is being traced.
* */
if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & P_TRACED))
attr->va_mode &= ~(VSUID | VSGID);
If you choose to break FD sharing, you are not following what seems to be
an established method of removing premissions where security is concerned.
The fact that you remove the sharing will do much damage to non-premission
extending programs without gaining any advantage.
If you were to just remove the premission extensions, then you would be
following convention of the ptrace() issue, as well as only changing
functionality when security is a concern.
If you choose to copy FDs on exec, you might as well stay consistent
and turn off ptrace and anything else that might be accessed by more
than one process.
---------------------------------------------------------------------------
Danny Dulai Feet. Pumice. Lotion.
http://www.ishiboo.com/~nirva/ nirva@ishiboo.com
---------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970804195706.9133.qmail>