Subject: fcntl(.., F_SETOWN, ..)
To: None <current-users@NetBSD.ORG>
From: Alan Peakall <alan@parsys.co.uk>
List: current-users
Date: 04/10/1996 12:12:08
My reading of the NetBSD kernel code is that (at least for sockets) no
authorisation checking of the value of the third argument to
`fcntl(.., F_SETOWN, ..)' is performed, and that no checking is done
when `so_pgid' is used for dispatching `SIG{IO,SIG}'.

If this is correct, then it is a means of subverting the operation of
of a process which uses these signals (naive processes should be OK
as these signals are ignored by default), and is also a potential
covert channel.

If this is not a feature, I feel that it would be better to reject
any attempt by a non-root caller to set `so_pgid' to the process
id of a process in a different session from the caller or to the
negative of the process group id of a process group in a different
session from the caller.

This policy is enforced by DEC OSF1 according to its manual page
`fcntl(2)'.  Attempts to breach it are stated to draw errno=EPERM
unless the descriptor refers to a terminal and POSIX.1 compatibility
for `tcsetpgrp(2)' requires that errno=ENOTTY.