Subject: Re: openat(2) and friends
To: Rhialto <rhialto@azenomei.knuffel.net>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 03/08/2005 09:24:07
--3Pql8miugIZX0722
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Mar 08, 2005 at 05:22:53PM +0100, Rhialto wrote:
> On Tue 08 Mar 2005 at 17:09:01 +0100, Steinar Hamre wrote:
> > > Similar checks are also in sys_fchroot() and sys_chroot(), and in
> > > kern/uipc_usrreq.c:unp_externalize().
> >=20
> > Ok. I'll add it.
>=20
> With all these new system calls there are now so many more places where
> this check needs to be added... I was thinking that it would perhaps be
> getting more efficient to do all this checking for fd-s outside the
> chroot area at the time the chroot is done. That is, change the strategy
> from "check when used" to "check when created".
The reason we do it this way is to avoid future vulnerabilities. You're=20
describing, in effect, a trusted perimeter. Once inside, an fd is ok.
The problem is that if there ever is a way to get an fd into the chroot=20
area, the chrooted program can get out; there's no more checking.
The overly-aggressive checking we do now ensures that no such issue can=20
arise.
> That would include the unp_externalize() case when fd-s are passed
> in via a socket, and when a chroot() variant is done, but I don't think
> any other place. The check in sys_chdir() could in theory be removed.
As above, we really want to keep things, "Check when used."
Take care,
Bill
--3Pql8miugIZX0722
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFCLd+3Wz+3JHUci9cRAp/yAJwJDUd9Jzp+Pwj0qEAKq+vEQs4RygCfXrR1
04j39F4bVI04cOapSGJnpTQ=
=Qxkz
-----END PGP SIGNATURE-----
--3Pql8miugIZX0722--