diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2005-12-07 19:04:54 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2005-12-07 19:04:54 +0000 |
commit | 8f1d90b946f44f94a3a5b2794d6029dd15bfeca5 (patch) | |
tree | 7c83b13fb5e777a6611e69ef3dd422d362bc796e | |
parent | cee45d4c54b274f5e055ef85737e998cc446f98f (diff) |
do not allow setugid processes to use /dev/fd/#, unless they are a
setuid-script and are attempting to dup is the specific setuid-script
fd via such a pathname; ok tedu pedro millert
-rw-r--r-- | sys/kern/kern_descrip.c | 13 | ||||
-rw-r--r-- | sys/kern/kern_exec.c | 6 | ||||
-rw-r--r-- | sys/sys/proc.h | 5 |
3 files changed, 20 insertions, 4 deletions
diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c index 7a6d212a835..1a263bb8bdf 100644 --- a/sys/kern/kern_descrip.c +++ b/sys/kern/kern_descrip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_descrip.c,v 1.71 2005/11/28 00:14:28 jsg Exp $ */ +/* $OpenBSD: kern_descrip.c,v 1.72 2005/12/07 19:04:53 deraadt Exp $ */ /* $NetBSD: kern_descrip.c,v 1.42 1996/03/30 22:24:38 christos Exp $ */ /* @@ -1176,6 +1176,17 @@ dupfdopen(struct filedesc *fdp, int indx, int dfd, int mode, int error) struct file *wfp; /* + * Assume that the filename was user-specified; applications do + * not tend to opens of /dev/fd/# when they can just call dup() + */ + if ((curproc->p_flag & (P_SUGIDEXEC | P_SUGID))) { + if (curproc->p_descfd == 255) + return (EPERM); + if (curproc->p_descfd != curproc->p_dupfd) + return (EPERM); + } + + /* * If the to-be-dup'd fd number is greater than the allowed number * of file descriptors, or the fd to be dup'd has already been * closed, reject. Note, there is no need to check for new == old diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index dc01d2833d9..3dc66fc2a06 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_exec.c,v 1.97 2005/12/03 18:09:08 tedu Exp $ */ +/* $OpenBSD: kern_exec.c,v 1.98 2005/12/07 19:04:53 deraadt Exp $ */ /* $NetBSD: kern_exec.c,v 1.75 1996/02/09 18:59:28 christos Exp $ */ /*- @@ -633,6 +633,10 @@ sys_execve(struct proc *p, void *v, register_t *retval) p->p_emul != pack.ep_emul) (*p->p_emul->e_proc_exit)(p); + p->p_descfd = 255; + if ((pack.ep_flags & EXEC_HASFD) && pack.ep_fd < 255) + p->p_descfd = pack.ep_fd; + /* * Call exec hook. Emulation code may NOT store reference to anything * from &pack. diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 36e76d9212a..df5be44facb 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.82 2005/12/03 18:09:09 tedu Exp $ */ +/* $OpenBSD: proc.h,v 1.83 2005/12/07 19:04:50 deraadt Exp $ */ /* $NetBSD: proc.h,v 1.44 1996/04/22 01:23:21 christos Exp $ */ /*- @@ -149,7 +149,8 @@ struct proc { int p_flag; /* P_* flags. */ u_char p_os; /* OS tag */ char p_stat; /* S* process status. */ - char p_pad1[2]; + char p_pad1[1]; + u_char p_descfd; /* if not 255, fdesc permits this fd */ pid_t p_pid; /* Process identifier. */ LIST_ENTRY(proc) p_hash; /* Hash chain. */ |