Subject: NetBSD Security Advisory 2005-013: ptrace() permissions after S[UG]ID and exec()
To: None <>
From: NetBSD Security-Officer <>
List: netbsd-announce
Date: 11/08/2005 10:01:26
Hash: SHA1

		 NetBSD Security Advisory 2005-013

Topic:		ptrace() permissions after S[UG]ID and exec() 

Version:	NetBSD-current:	source prior to October 21, 2005
		NetBSD 2.1:	affected
		NetBSD 2.0.3:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6:	affected

Severity:	privilege escalation and injection of code

Fixed:		NetBSD-current:		October 31, 2005
		NetBSD-3   branch:	October 31, 2005
		NetBSD-2.1 branch:	October 31, 2005
					   (2.1.1 will include the fix)
		NetBSD-2.0 branch:	October 31, 2005
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	October 31, 2005
		NetBSD-1.6 branch:	October 31, 2005


Processes running with alternate privileges gained from setuid and
setgid executables are prevented from debugger attachment by their
original owner (via ptrace).  However, if these processes exec'd
without resetting their real credentials, the replacement process
could be attached to and tampered with.

Technical Details

A process flag P_SUGID is used to track processes that have gained
privileges via the set-id execution bits. This flag is checked by
ptrace when deciding whether to allow debugger attachment.

When a process called exec(), this flag was being cleared, even if the
real and effective credentials were still different. This would defeat
the ptrace check for the replacement process image, and allow
inappropriate attachment by processes owned by the real uid.  This
attachment could then be used to alter the behaviour of the process,
and make additional syscalls under the effective uid.

Solutions and Workarounds

A limited workaround may be to mount filesystems with the nosuid
option, or remove setuid bits or general user access from setuid
programs.  This is likely to affect required functionality.

For all NetBSD versions, you need to obtain fixed kernel sources,
rebuild and install the new kernel, and reboot the system.

The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your
kernel.  In these instructions, replace:

  ARCH     with your architecture (from uname -m), and 
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -d -P sys/kern/kern_exec.c
	# ./ kernel=KERNCONF
	# mv /netbsd /netbsd.old
	# cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
	# shutdown -r now

For more information on how to do this, see:

Thanks To

Tavis Ormandy for reporting the bug and Christos Zoulas for the fix.

Revision History

	2005-11-01	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and

Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2005-013.txt,v 1.3 2005/11/01 02:24:48 dan Exp $

Version: GnuPG v1.4.2 (NetBSD)