summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2005-12-07 19:04:54 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2005-12-07 19:04:54 +0000
commit8f1d90b946f44f94a3a5b2794d6029dd15bfeca5 (patch)
tree7c83b13fb5e777a6611e69ef3dd422d362bc796e
parentcee45d4c54b274f5e055ef85737e998cc446f98f (diff)
do not allow setugid processes to use /dev/fd/#, unless they are a
setuid-script and are attempting to dup is the specific setuid-script fd via such a pathname; ok tedu pedro millert
-rw-r--r--sys/kern/kern_descrip.c13
-rw-r--r--sys/kern/kern_exec.c6
-rw-r--r--sys/sys/proc.h5
3 files changed, 20 insertions, 4 deletions
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index 7a6d212a835..1a263bb8bdf 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_descrip.c,v 1.71 2005/11/28 00:14:28 jsg Exp $ */
+/* $OpenBSD: kern_descrip.c,v 1.72 2005/12/07 19:04:53 deraadt Exp $ */
/* $NetBSD: kern_descrip.c,v 1.42 1996/03/30 22:24:38 christos Exp $ */
/*
@@ -1176,6 +1176,17 @@ dupfdopen(struct filedesc *fdp, int indx, int dfd, int mode, int error)
struct file *wfp;
/*
+ * Assume that the filename was user-specified; applications do
+ * not tend to opens of /dev/fd/# when they can just call dup()
+ */
+ if ((curproc->p_flag & (P_SUGIDEXEC | P_SUGID))) {
+ if (curproc->p_descfd == 255)
+ return (EPERM);
+ if (curproc->p_descfd != curproc->p_dupfd)
+ return (EPERM);
+ }
+
+ /*
* If the to-be-dup'd fd number is greater than the allowed number
* of file descriptors, or the fd to be dup'd has already been
* closed, reject. Note, there is no need to check for new == old
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index dc01d2833d9..3dc66fc2a06 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_exec.c,v 1.97 2005/12/03 18:09:08 tedu Exp $ */
+/* $OpenBSD: kern_exec.c,v 1.98 2005/12/07 19:04:53 deraadt Exp $ */
/* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */
/*-
@@ -633,6 +633,10 @@ sys_execve(struct proc *p, void *v, register_t *retval)
p->p_emul != pack.ep_emul)
(*p->p_emul->e_proc_exit)(p);
+ p->p_descfd = 255;
+ if ((pack.ep_flags & EXEC_HASFD) && pack.ep_fd < 255)
+ p->p_descfd = pack.ep_fd;
+
/*
* Call exec hook. Emulation code may NOT store reference to anything
* from &pack.
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index 36e76d9212a..df5be44facb 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: proc.h,v 1.82 2005/12/03 18:09:09 tedu Exp $ */
+/* $OpenBSD: proc.h,v 1.83 2005/12/07 19:04:50 deraadt Exp $ */
/* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */
/*-
@@ -149,7 +149,8 @@ struct proc {
int p_flag; /* P_* flags. */
u_char p_os; /* OS tag */
char p_stat; /* S* process status. */
- char p_pad1[2];
+ char p_pad1[1];
+ u_char p_descfd; /* if not 255, fdesc permits this fd */
pid_t p_pid; /* Process identifier. */
LIST_ENTRY(proc) p_hash; /* Hash chain. */