* [SECURITY] FDs 0, 1, 2 for SUID/SGID programs
@ 2002-04-22 14:31 Florian Weimer
2002-04-22 19:18 ` Chris Wright
2002-04-23 9:04 ` Alan Cox
0 siblings, 2 replies; 5+ messages in thread
From: Florian Weimer @ 2002-04-22 14:31 UTC (permalink / raw)
To: linux-kernel
http://www.pine.nl/advisories/pine-cert-20020401.html probably affects
Linux, too (if a SUID/SGID program is invoked with FD 2 closed, error
messages might be written to a file opened by the program ).
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs
2002-04-22 14:31 [SECURITY] FDs 0, 1, 2 for SUID/SGID programs Florian Weimer
@ 2002-04-22 19:18 ` Chris Wright
2002-04-23 12:02 ` Alex Riesen
2002-04-23 9:04 ` Alan Cox
1 sibling, 1 reply; 5+ messages in thread
From: Chris Wright @ 2002-04-22 19:18 UTC (permalink / raw)
To: Florian Weimer; +Cc: linux-kernel
* Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE) wrote:
> http://www.pine.nl/advisories/pine-cert-20020401.html probably affects
> Linux, too (if a SUID/SGID program is invoked with FD 2 closed, error
> messages might be written to a file opened by the program ).
AFAIK, the standards clearly specify behaviour wrt. open file descriptors
and clone-on-exec file descriptors across execve(). However, there
is nothing specified when it comes to closed file descpriptors across
execve(), notably FD's 0, 1 and 2 are certainly not required to be open
across an execve() of a SUID/SGID applictaion. One could argue that
SUID/SGID apps that trust the file descriptors they inherit across exec()
are buggy.
Having said that, there are a number of implementations of this type
of protection for the linux kernel stemming from the Openwall project.
If you are interested, see:
http://www.openwall.com (CONFIG_SECURE_FD_0_1_2)
http://lsm.immunix.org (CONFIG_OWLSM_FD)
http://grsecurity.net (CONFIG_GRKERNSEC_FD)
cheers,
-chris
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs
2002-04-22 14:31 [SECURITY] FDs 0, 1, 2 for SUID/SGID programs Florian Weimer
2002-04-22 19:18 ` Chris Wright
@ 2002-04-23 9:04 ` Alan Cox
1 sibling, 0 replies; 5+ messages in thread
From: Alan Cox @ 2002-04-23 9:04 UTC (permalink / raw)
To: Florian Weimer; +Cc: linux-kernel
> http://www.pine.nl/advisories/pine-cert-20020401.html probably affects
> Linux, too (if a SUID/SGID program is invoked with FD 2 closed, error
> messages might be written to a file opened by the program ).
Unix requires this behaviour. Its an old and common bug to get it
wrong. glibc intentionally provides some cover
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs
2002-04-22 19:18 ` Chris Wright
@ 2002-04-23 12:02 ` Alex Riesen
2002-04-23 16:12 ` Chris Wright
0 siblings, 1 reply; 5+ messages in thread
From: Alex Riesen @ 2002-04-23 12:02 UTC (permalink / raw)
To: Chris Wright; +Cc: linux-kernel
On Mon, Apr 22, 2002 at 12:18:19PM -0700, Chris Wright wrote:
> * Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE) wrote:
> > http://www.pine.nl/advisories/pine-cert-20020401.html probably affects
> > Linux, too (if a SUID/SGID program is invoked with FD 2 closed, error
> > messages might be written to a file opened by the program ).
>
> AFAIK, the standards clearly specify behaviour wrt. open file descriptors
> and clone-on-exec file descriptors across execve(). However, there
that is close-on-exec. Different semantics.
F_GETFD Read the close-on-exec flag. If the FD_CLOEXEC
bit is 0, the file will remain open across exec,
otherwise it will be closed.
> is nothing specified when it comes to closed file descpriptors across
> execve(), notably FD's 0, 1 and 2 are certainly not required to be open
> across an execve() of a SUID/SGID applictaion. One could argue that
> SUID/SGID apps that trust the file descriptors they inherit across exec()
> are buggy.
>
> Having said that, there are a number of implementations of this type
> of protection for the linux kernel stemming from the Openwall project.
> If you are interested, see:
>
> http://www.openwall.com (CONFIG_SECURE_FD_0_1_2)
> http://lsm.immunix.org (CONFIG_OWLSM_FD)
> http://grsecurity.net (CONFIG_GRKERNSEC_FD)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs
2002-04-23 12:02 ` Alex Riesen
@ 2002-04-23 16:12 ` Chris Wright
0 siblings, 0 replies; 5+ messages in thread
From: Chris Wright @ 2002-04-23 16:12 UTC (permalink / raw)
To: Alex Riesen; +Cc: linux-kernel
* Alex Riesen (Alexander.Riesen@synopsys.com) wrote:
> On Mon, Apr 22, 2002 at 12:18:19PM -0700, Chris Wright wrote:
> > and clone-on-exec file descriptors across execve(). However, there
>
> that is close-on-exec. Different semantics.
yes, typo. thanks.
-chris
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-04-23 16:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-04-22 14:31 [SECURITY] FDs 0, 1, 2 for SUID/SGID programs Florian Weimer
2002-04-22 19:18 ` Chris Wright
2002-04-23 12:02 ` Alex Riesen
2002-04-23 16:12 ` Chris Wright
2002-04-23 9:04 ` Alan Cox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).