NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/37744: setuid doesn't enforce RLIMIT_NPROC



The following reply was made to PR kern/37744; it has been noted by GNATS.

From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/37744: setuid doesn't enforce RLIMIT_NPROC
Date: Fri, 11 Jan 2008 07:36:18 -0600 (CST)

 Here is the patch I used for over a year and provided to tech-kern and 
 tech-security 1.5 years ago:
 
 Index: sys/kern/kern_prot.c
 ===================================================================
 RCS file: /cvsroot/src/sys/kern/kern_prot.c,v
 retrieving revision 1.104
 diff -u -r1.104 kern_prot.c
 --- sys/kern/kern_prot.c       30 Jun 2007 21:31:41 -0000      1.104
 +++ sys/kern/kern_prot.c       11 Jan 2008 13:30:21 -0000
 @@ -349,8 +349,12 @@
  
        if (r != -1 && r != kauth_cred_getuid(ncred)) {
                /* Update count of processes for this user */
 +              /* but don't allow user running more than their limit. */
 +              if (chgproccnt(r, 1) > p->p_rlimit[RLIMIT_NPROC].rlim_cur) {
 +                      (void)chgproccnt(r, -1);
 +                      return (EAGAIN);
 +              }
                (void)chgproccnt(kauth_cred_getuid(ncred), -1);
 -              (void)chgproccnt(r, 1);
                kauth_cred_setuid(ncred, r);
        }
        if (sv != -1)
 
 
 
 (I haven't tested this for a month since my laptop died and using 
 different kernel.)
 
 I also patched cron to change how it used login_getclass and 
 setusercontext.
 
 
 I don't think this can be abused with cron -- unless you use a patched 
 shell that ignores the fork error. A regular user can easily use their own 
 custom shell built like the following to get more processes than allowed:
 
 Index: bin/ksh/jobs.c
 ===================================================================
 RCS file: /cvsroot/src/bin/ksh/jobs.c,v
 retrieving revision 1.9
 diff -u -r1.9 jobs.c
 --- bin/ksh/jobs.c     25 Feb 2006 00:58:34 -0000      1.9
 +++ bin/ksh/jobs.c     11 Jan 2008 13:34:11 -0000
 @@ -533,7 +533,7 @@
  #ifdef JOB_SIGS
                sigprocmask(SIG_SETMASK, &omask, (sigset_t *) 0);
  #endif /* JOB_SIGS */
 -              errorf("cannot fork - try again");
 +/*            errorf("cannot fork - try again"); */
        }
        ischild = i == 0;
        if (ischild)
 
 
 
   Jeremy C. Reed
 



Home | Main Index | Thread Index | Old Index