Re: SIGSEGV for programs attempting to write files they don't have access to

To: Staffan Thomén <duck%shangtai.net@localhost>
Subject: Re: SIGSEGV for programs attempting to write files they don't have access to
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Sun, 16 Feb 2020 11:18:50 +0100

On Sat, Feb 15, 2020 at 10:55:36PM +0200, Staffan Thomén wrote:
> Hey!
> 
> I just updated one of my domU:s to netbsd-9 (should be the head of netbsd-9
> branch as of Feb 14, 'Welcome to NetBSD 9.0 - the "Valentine Release"')
> 
> My dom0 is still running 8.1 and all other domUs are running fine with
> various versions/operating systems as before.
> 
> This domU is my webserver, and both bacula-fd and apache crash upon startup,
> with a segmentation fault, bacula right away and apache's workers die and it
> stops spawning them.
> 
> I tried to narrow it down and bacula-fd would not crash if I started it
> manually as root, but if I added -g bacula, it crashed with a Memory fault.
> 
> The following program will always crash if nobody doesn't have access to
> write/create the file, but the file will get written(!):
> 
> #include <stdio.h>
> #include <unistd.h>
> 
> int main(int argc, char **argv) {
>         FILE *fp;
> 
>         printf("Changing uid...\n");
> 
>         setuid(32767); // nobody
> 
>         printf("Writing to file...\n");
> 
>         fp = fopen("test.txt", "w");
>         fwrite("hello\n", 6, 1, fp);
>         fclose(fp);
> 
>         printf("All done\n");
> 
>         return 0;
> }
> 
> www# ./t
> Changing uid...
> Writing to file...
> Memory fault
> 
> (gdb) run
> Starting program: /root/t
> Changing uid...
> Writing to file...
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x00006fbeb9f67255 in __sfvwrite () from /usr/lib/libc.so.12
> (gdb) where
> #0  0x00006fbeb9f67255 in __sfvwrite () from /usr/lib/libc.so.12
> #1  0x00006fbeb9f671ef in fwrite () from /usr/lib/libc.so.12
> #2  0x0000000000400b35 in main (argc=1, argv=0x7f7fff9ff758) at test.c:14
> 
> www# chown nobody test.txt
> www# ./t
> Changing uid...
> Writing to file...
> All done
> 
> What's going on here? Is it just me?

I get the same. But it's extected as you're missing error handing here,
wich leads to a NULL pointer dereference if the file can't be open.
Nothing wrong here.

A more corrent program would be
#include <stdio.h> 
#include <unistd.h>                       

int main(int argc, char **argv) {         
        FILE *fp;                           
                                              
        printf("Changing uid...\n");

        setuid(32767); // nobody                

        printf("Writing to file...\n");             
                                                      
        fp = fopen("test.txt", "w");
        if (fp == NULL) {
                perror("fopen");
                exit(1);
        }
        fwrite("hello\n", 6, 1, fp);
        fclose(fp);                       
                                            
        printf("All done\n"); 

        return 0;
}

wich gives:
twist# ./t
Changing uid...
Writing to file...
fopen: Permission denied
twist# echo $status 
1

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: SIGSEGV for programs attempting to write files they don't have access to
  - From: Staffan Thomén

References:
- SIGSEGV for programs attempting to write files they don't have access to
  - From: Staffan Thomén

Prev by Date: SIGSEGV for programs attempting to write files they don't have access to
Next by Date: Re: SIGSEGV for programs attempting to write files they don't have access to
Previous by Thread: SIGSEGV for programs attempting to write files they don't have access to
Next by Thread: Re: SIGSEGV for programs attempting to write files they don't have access to
Indexes:

Home | Main Index | Thread Index | Old Index