Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110822183204.GB132@brightrain.aerifal.cx>
Date: Mon, 22 Aug 2011 14:32:04 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: fd 0-2 on SUID/SGID program startup

On Mon, Aug 22, 2011 at 09:07:54PM +0400, Solar Designer wrote:
> Rich,
> 
> As you're probably aware, glibc makes sure that fd 0-2 are open on
> SUID/SGID program startup (opening them to /dev/null / /dev/full if
> they're not already open).  This is needed to prevent misdirected
> reads/writes by programs that use those well-known fd's (in fact, even
> libc itself does) yet also open other files/sockets/whatever (so it may
> get opened on one of these special fd's if they're not already taken).
> 
> I think musl must have the same countermeasure.  I think it lacks it
> currently.
> 
> Do you agree?

Indeed, this is useful, and POSIX explicitly allows that fd 0-2 might
be automatically opened for suid programs. I have an efficient test
using a single syscall:

struct pollfd pfd[3] = { { .fd = 0 }, { .fd = 1 }, { .fd = 2 } };
poll(pfd, 3, 0);

Then check each of pfd[0..2].revents for POLLNVAL:

for (i=0; i<3; i++)
	if ((pfd[i].revents&POLLNVAL) && open("/dev/null", O_RDWR)<0)
		*(volatile char *)0=0;

I assume crashing is the best action on failure to open, but I'd
welcome other ideas... perhaps raising SIGKILL? Plain _exit seems like
a really bad idea as it could be misinterpreted by the parent as a
normal exit.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.