Date: Mon, 11 Aug 1997 15:07:49 +0400 (MSD) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru> To: Sean Eric Fagan <sef@FreeBSD.ORG> Cc: current@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: procfs patch Message-ID: <Pine.BSF.3.96.970811145004.27701B-100000@lsd.relcom.eu.net> In-Reply-To: <199708110315.UAA14486@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 10 Aug 1997, Sean Eric Fagan wrote: > +#define CHECKIO(p1, p2) \ > + ((((p1)->p_cred->pc_ucred->cr_uid == (p2)->p_cred->p_ruid) && \ > + ((p1)->p_cred->p_ruid == (p2)->p_cred->p_ruid) && \ > + ((p1)->p_cred->p_svuid == (p2)->p_cred->p_ruid) && \ > + ((p2)->p_flag & P_SUGID) == 0) || \ > + (suser((p1)->p_cred->pc_ucred, &(p1)->p_acflag) == 0)) Comparing uids gains absolutely nothing. The program can change uids many times and finaly do allowed combination. But "interesting" code or data from previous superuser mode can still left in the memory. I think any access to memory must be disallowed immediately after exec of setuid program issued by user (not setuid root) program. I.e. exec call must set some flag (in struct proc?) disabling procfs access and procfs call need to check this flag only. We also need some solution which completely disable access to parent memory from forked child because allowing it is against Unix ideology. -- Andrey A. Chernov <ache@null.net> http://www.nagual.pp.ru/~ache/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970811145004.27701B-100000>