itojun@iijlab.net writes:

> 	sorry for dumb question - does it affect us?
> 
> itojun

I'm pretty sure it doesn't. The code that was imported into NetBSD from FreeBSD
already had the problem fixed.

I screwed up. I noticed this problem ages ago while debugging some other
issue in that code, but instead of fixing it I just added a comment and forgot
about it.

On the other hand. I think you should check for the problem I was debugging
at that time. Since your code does a namei on /dev/null, you should really
make sure that the exec:ed vnode is not vop_locked otherwise there is a great
risk for directory locks creeping up to / before the namei and namei will
deadlock. (Ignore me if the vnode is unlocked earlier in your exec code).

This code is triggered all the time by qmail (or was it postfix?), so if you
have users complaining about qmail/postfix locking up the machine, that namei
is where I'd start looking for problems.

//art

> From: Todd C. Miller <Todd.Miller@courtesan.com>
> To: security-announce@openbsd.org
> Subject: Potential localhost root hole
> 
> In July of 1998 the OpenBSD kernel was modified to populate file
> descriptors 0-2 on exec for setuid (and setgid) processes.  This
> was done to defeat an attack on setuid programs that open files for
> writing and also write to descriptors 0-2 (usually via stdin, stdout
> or stderr).
> 
> The fix at that time didn't properly deal with the possibility that
> the allocation of the dummy descriptors could fail due to a full
> file descriptor table.