Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Aug 2011 18:54:27 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: fd 0-2 on SUID/SGID program startup

On Mon, Aug 22, 2011 at 09:07:54PM +0400, Solar Designer wrote:
> Rich,
> 
> As you're probably aware, glibc makes sure that fd 0-2 are open on
> SUID/SGID program startup (opening them to /dev/null / /dev/full if
> they're not already open).  This is needed to prevent misdirected
> reads/writes by programs that use those well-known fd's (in fact, even
> libc itself does) yet also open other files/sockets/whatever (so it may
> get opened on one of these special fd's if they're not already taken).
> 
> I think musl must have the same countermeasure.  I think it lacks it
> currently.
> 
> Do you agree?

I committed code that should handle these cases. The only difference
from the suid check in the dynamic linker is that it does not treat
the absence of the aux vector entries as "secure mode". As far as I
know it's a non-issue anyway because there is no remotely-secure
version of Linux which fails to pass a complete aux vector, but in the
case where it's not possible to determine, I considered it more
correct not to mess with fd 0-2, since doing so for non-suid programs
is non-conforming and potentially breaks things badly. If there's any
real-world case where the aux vector is missing/incomplete, perhaps I
could make fallback code that calls gete?[ug]id() to do the check..
I'd welcome input on whether you think it's necessary.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.