[src/trunk]: src/sys From OpenBSD, via FreeBSD: If a set{u, g}id binary is inv...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b2935fb30101
branches:  trunk
changeset: 526023:b2935fb30101
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Apr 23 15:11:25 2002 +0000

description:
>From OpenBSD, via FreeBSD: If a set{u,g}id binary is invoked with fd < 3
closed, open those fds to /dev/null.

XXX: This needs to be fixed in a better way. The kernel should not need to
know about /dev/null or special case 0, 1, 2.

diffstat:

 sys/kern/kern_descrip.c |  65 +++++++++++++++++++++++++++++++++++++++++++++++-
 sys/kern/kern_exec.c    |   8 ++++-
 sys/sys/filedesc.h      |   5 ++-
 3 files changed, 72 insertions(+), 6 deletions(-)

diffs (139 lines):

diff -r 9ace2428e413 -r b2935fb30101 sys/kern/kern_descrip.c
--- a/sys/kern/kern_descrip.c   Tue Apr 23 13:59:03 2002 +0000
+++ b/sys/kern/kern_descrip.c   Tue Apr 23 15:11:25 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_descrip.c,v 1.85 2002/03/08 20:48:40 thorpej Exp $        */
+/*     $NetBSD: kern_descrip.c,v 1.86 2002/04/23 15:11:25 christos Exp $       */
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1991, 1993
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_descrip.c,v 1.85 2002/03/08 20:48:40 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_descrip.c,v 1.86 2002/04/23 15:11:25 christos Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -50,6 +50,7 @@
 #include <sys/vnode.h>
 #include <sys/proc.h>
 #include <sys/file.h>
+#include <sys/namei.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/stat.h>
@@ -1374,3 +1375,63 @@
                if (fdp->fd_ofileflags[fd] & UF_EXCLOSE)
                        (void) fdrelease(p, fd);
 }
+
+/*
+ * It is unsafe for set[ug]id processes to be started with file
+ * descriptors 0..2 closed, as these descriptors are given implicit
+ * significance in the Standard C library.  fdcheckstd() will create a
+ * descriptor referencing /dev/null for each of stdin, stdout, and
+ * stderr that is not already open.
+ */
+int
+fdcheckstd(p)
+       struct proc *p;
+{
+       struct nameidata nd;
+       struct filedesc *fdp;
+       struct file *fp;
+       register_t retval;
+       int fd, i, error = 0, flags = FREAD|FWRITE, devnull = -1, logged = 0;
+
+       if ((fdp = p->p_fd) == NULL)
+              return 0;
+       for (i = 0; i < 3; i++) {
+               if (fdp->fd_ofiles[i] != NULL)
+                       continue;
+               if (!logged) {
+                       log(LOG_WARNING, "set{u,g}id pid %d (%s) was invoked "
+                           "with fd 0, 1, or 2 closed\n", p->p_pid, p->p_comm);
+                       logged++;
+               }
+               if (devnull < 0) {
+                       if ((error = falloc(p, &fp, &fd)) != 0)
+                               return error;
+                       NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, "/dev/null",
+                           p);
+                       if ((error = vn_open(&nd, flags, 0)) != 0) {
+                               FILE_UNUSE(fp, p);
+                               ffree(fp);
+                               fdremove(p->p_fd, fd);
+                               return error;
+                       }
+                       fp->f_data = (caddr_t)nd.ni_vp;
+                       fp->f_flag = flags;
+                       fp->f_ops = &vnops;
+                       fp->f_type = DTYPE_VNODE;
+                       VOP_UNLOCK(nd.ni_vp, 0);
+                       devnull = fd;
+               } else {
+restart:
+                       if ((error = fdalloc(p, 0, &fd)) != 0) {
+                               if (error == ENOSPC) {
+                                       fdexpand(p);
+                                       goto restart;
+                               }
+                               return error;
+                       }
+                       if ((error = finishdup(p, devnull, fd, &retval)) != 0)
+                               return error;
+               }
+       }
+       return error;
+}
diff -r 9ace2428e413 -r b2935fb30101 sys/kern/kern_exec.c
--- a/sys/kern/kern_exec.c      Tue Apr 23 13:59:03 2002 +0000
+++ b/sys/kern/kern_exec.c      Tue Apr 23 15:11:25 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_exec.c,v 1.151 2002/04/02 20:18:07 jdolecek Exp $ */
+/*     $NetBSD: kern_exec.c,v 1.152 2002/04/23 15:11:25 christos Exp $ */
 
 /*-
  * Copyright (C) 1993, 1994, 1996 Christopher G. Demetriou
@@ -33,7 +33,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.151 2002/04/02 20:18:07 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.152 2002/04/23 15:11:25 christos Exp $");
 
 #include "opt_ktrace.h"
 #include "opt_syscall_debug.h"
@@ -625,6 +625,10 @@
                 */
                p_sugid(p);
 
+               /* Make sure file descriptors 0..2 are in use. */
+               if ((error = fdcheckstd(p)) != 0)
+                       goto exec_abort;
+
                p->p_ucred = crcopy(cred);
 #ifdef KTRACE
                /*
diff -r 9ace2428e413 -r b2935fb30101 sys/sys/filedesc.h
--- a/sys/sys/filedesc.h        Tue Apr 23 13:59:03 2002 +0000
+++ b/sys/sys/filedesc.h        Tue Apr 23 15:11:25 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: filedesc.h,v 1.23 2001/06/14 20:32:49 thorpej Exp $    */
+/*     $NetBSD: filedesc.h,v 1.24 2002/04/23 15:11:26 christos Exp $   */
 
 /*
  * Copyright (c) 1990, 1993
@@ -114,8 +114,9 @@
 void   fdclear(struct proc *p);
 void   fdfree(struct proc *p);
 void   fdremove(struct filedesc *, int);
-int    fdrelease(struct proc *p, int);
+int    fdrelease(struct proc *, int);
 void   fdcloseexec(struct proc *);
+int    fdcheckstd(struct proc *);
 
 struct file *fd_getfile(struct filedesc *, int);