From owner-freebsd-security  Mon Aug  4 11:55:31 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA20195
          for security-outgoing; Mon, 4 Aug 1997 11:55:31 -0700 (PDT)
Received: from ishiboo.com (user9141@bleep.ishiboo.com [206.64.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id LAA20190
          for <security@FreeBSD.ORG>; Mon, 4 Aug 1997 11:55:29 -0700 (PDT)
From: nirva@ishiboo.com
Received: (qmail 9134 invoked by uid 1000); 4 Aug 1997 19:57:06 -0000
Message-ID: <19970804195706.9133.qmail@ishiboo.com>
Subject: Re: Proposed alternate patch for the rfork vulnerability
In-Reply-To: <199708041703.KAA16417@kithrup.com> from Sean Eric Fagan at "Aug 4, 97 10:03:55 am"
To: sef@kithrup.com (Sean Eric Fagan)
Date: Mon, 4 Aug 1997 14:57:06 -0500 (EST)
Cc: bde@zeta.org.au, tqbf@enteract.com, security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Sean Eric Fagan stands accused of saying:
> I'm sorry, Bruce, but having the file descriptor sharing break on
> exec is the ONLY way to have it make sense, let alone be secure.
> 

Breaking file descriptor sharing is breaking the established sematics
of rfork().

Note that when exec()ing an suid/sgid program while being ptrace()ed, the
suid/sgid bit is dropped, not the functionality of ptrace().

kern_exec.c:
        /*
         *          * Disable setuid/setgid if the filesystem prohibits it or if
         *                   * the process is being traced.
         *                            */
        if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_flag & P_TRACED))
                attr->va_mode &= ~(VSUID | VSGID);

If you choose to break FD sharing, you are not following what seems to be
an established method of removing premissions where security is concerned.
The fact that you remove the sharing will do much damage to non-premission
extending programs without gaining any advantage.

If you were to just remove the premission extensions, then you would be
following convention of the ptrace() issue, as well as only changing
functionality when security is a concern.

If you choose to copy FDs on exec, you might as well stay consistent
and turn off ptrace and anything else that might be accessed by more
than one process.

---------------------------------------------------------------------------
Danny Dulai                                           Feet. Pumice. Lotion.
http://www.ishiboo.com/~nirva/                            nirva@ishiboo.com
---------------------------------------------------------------------------