Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110825225427.GH132@brightrain.aerifal.cx>
Date: Thu, 25 Aug 2011 18:54:27 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: fd 0-2 on SUID/SGID program startup

On Mon, Aug 22, 2011 at 09:07:54PM +0400, Solar Designer wrote:
> Rich,
> 
> As you're probably aware, glibc makes sure that fd 0-2 are open on
> SUID/SGID program startup (opening them to /dev/null / /dev/full if
> they're not already open).  This is needed to prevent misdirected
> reads/writes by programs that use those well-known fd's (in fact, even
> libc itself does) yet also open other files/sockets/whatever (so it may
> get opened on one of these special fd's if they're not already taken).
> 
> I think musl must have the same countermeasure.  I think it lacks it
> currently.
> 
> Do you agree?

I committed code that should handle these cases. The only difference
from the suid check in the dynamic linker is that it does not treat
the absence of the aux vector entries as "secure mode". As far as I
know it's a non-issue anyway because there is no remotely-secure
version of Linux which fails to pass a complete aux vector, but in the
case where it's not possible to determine, I considered it more
correct not to mess with fd 0-2, since doing so for non-suid programs
is non-conforming and potentially breaks things badly. If there's any
real-world case where the aux vector is missing/incomplete, perhaps I
could make fallback code that calls gete?[ug]id() to do the check..
I'd welcome input on whether you think it's necessary.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.