From owner-freebsd-current Mon Aug 11 04:08:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA27446 for current-outgoing; Mon, 11 Aug 1997 04:08:14 -0700 (PDT) Received: from lsd.relcom.eu.net (ache@lsd.relcom.eu.net [193.124.23.23]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA27441; Mon, 11 Aug 1997 04:08:01 -0700 (PDT) Received: (from ache@localhost) by lsd.relcom.eu.net (8.8.7/8.8.7) id PAA28273; Mon, 11 Aug 1997 15:07:52 +0400 (MSD) Date: Mon, 11 Aug 1997 15:07:49 +0400 (MSD) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= X-Sender: ache@lsd.relcom.eu.net Reply-To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= To: Sean Eric Fagan cc: current@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: procfs patch In-Reply-To: <199708110315.UAA14486@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 10 Aug 1997, Sean Eric Fagan wrote: > +#define CHECKIO(p1, p2) \ > + ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \ > + ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \ > + ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \ > + ((p2)->p_flag & P_SUGID) == 0) || \ > + (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0)) Comparing uids gains absolutely nothing. The program can change uids many times and finaly do allowed combination. But "interesting" code or data from previous superuser mode can still left in the memory. I think any access to memory must be disallowed immediately after exec of setuid program issued by user (not setuid root) program. I.e. exec call must set some flag (in struct proc?) disabling procfs access and procfs call need to check this flag only. We also need some solution which completely disable access to parent memory from forked child because allowing it is against Unix ideology. -- Andrey A. Chernov http://www.nagual.pp.ru/~ache/