Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Apr 2002 22:08:19 -0600 (MDT)
From:      "M. Warner Losh" <imp@village.org>
To:        drosih@rpi.edu
Cc:        jmallett@FreeBSD.org, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/sys/kern kern_descrip.c kern_exec.c src/sys/sys filedesc.h
Message-ID:  <20020418.220819.38783712.imp@village.org>
In-Reply-To: <p0511170ab8e53dddf964@[128.113.24.47]>
References:  <p05111709b8e53bfd88f7@[128.113.24.47]> <20020419032610.GG30498@FreeBSD.ORG> <p0511170ab8e53dddf964@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message: <p0511170ab8e53dddf964@[128.113.24.47]>
            Garance A Drosihn <drosih@rpi.edu> writes:
: Hmm.  Okay, I can see how this helps some.  But if we are
: talking about Evil(tm) programs which are exec-ing a
: set[ug]id program, then I would think the program could
: cause just as much evil havoc by assigning those descriptors
: to files that the program is not expecting them to be
: assigned to.  Like, perhaps, to a file that the program will
: have no access to.  How would that be "less evil" than having
: the descriptor assigned to nothing at all?

This is less of a problem than what I talked about earlier.  If I open
files on 0 1 or 2, I do it as "me" which is OK.  The security check is
already done by the time the privs are elevated.  But if, say, FD 2 is
closed, then the scenario that I talked about earlier could happen:
	The setuid program opens up some file that the user wouldn't
	otherwise be able to open.  It gets fd 2.  Now after this
	point the program does a write to stderr because of some
	error.  Often times the user affect the output.  If the setuid
	program uses err(), and the file in question is
	/etc/master.passwd, one could set argv[0] that looks like a
	password line with a uid of 0.  Then the user could change
	his/her password and get root.
There are other ways to exploit this as well.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020418.220819.38783712.imp>