From owner-freebsd-security  Tue Sep 16 22:49:30 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA18344
          for security-outgoing; Tue, 16 Sep 1997 22:49:30 -0700 (PDT)
Received: from gatekeeper.tsc.tdk.com (root@gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA18332
          for <freebsd-security@FreeBSD.ORG>; Tue, 16 Sep 1997 22:49:25 -0700 (PDT)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
          by gatekeeper.tsc.tdk.com (8.8.4/8.8.4) with ESMTP
	  id WAA01109; Tue, 16 Sep 1997 22:49:00 -0700 (PDT)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id WAA01558;
	Tue, 16 Sep 1997 22:48:59 -0700 (PDT)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id WAA26312;
	Tue, 16 Sep 1997 22:48:57 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199709170548.WAA26312@salsa.gv.tsc.tdk.com>
Date: Tue, 16 Sep 1997 22:48:57 -0700
In-Reply-To: tqbf@silence.secnet.com
       "Re: OpenBSD Security Advisory: BSD I/O Signals" (Sep 16, 11:15pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: tqbf@silence.secnet.com, Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: OpenBSD Security Advisory: BSD I/O Signals
Cc: tqbf@enteract.com, freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sep 16, 11:15pm, tqbf@silence.secnet.com wrote:
} Subject: Re: OpenBSD Security Advisory: BSD I/O Signals
} 
} > random things from happening.  Now this is a stretch, but what if an
} > attacker subverted a root owned process to to a F_SETOWN, change uid to
} 
} The hole would be in the program that allowed an attacker to gain root
} access to fcntl, and there's not much you can do in the kernel to prevent
} the general case of this from remaining true.

I just found an exploit, but it's pretty weak.  You can use it to send
signals to processes that you don't own, but you can't choose the PID.

Ftpd does a F_SETOWN on its control socket before it does authentication,
which means that the credentials stashed away by F_SETOWN are root.  If
you log in as a normal user and you do an "ls -lR /" or something that
takes a long time, you can "kill -STOP" the ls process, and kill ftpd
entirely.  The "ls" process will keep the control socket open (its connected
to stdin), so whenever a process gets the old PID of ftpd, you can send it
a SIGURG.

A tiny hole, but it's there.

			---  Truck