Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs

Chris Wright (chris@wirex.com)
Mon, 22 Apr 2002 12:18:19 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Denis Vlasenko: "Re: user/system/nice accounting (SMP): need help understanding the code"
Previous message: Sandy Harris: "Re: Adding snapshot capability to Linux"

* Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE) wrote:
> http://www.pine.nl/advisories/pine-cert-20020401.html probably affects
> Linux, too (if a SUID/SGID program is invoked with FD 2 closed, error
> messages might be written to a file opened by the program ).

AFAIK, the standards clearly specify behaviour wrt. open file descriptors
and clone-on-exec file descriptors across execve(). However, there
is nothing specified when it comes to closed file descpriptors across
execve(), notably FD's 0, 1 and 2 are certainly not required to be open
across an execve() of a SUID/SGID applictaion. One could argue that
SUID/SGID apps that trust the file descriptors they inherit across exec()
are buggy.

Having said that, there are a number of implementations of this type
of protection for the linux kernel stemming from the Openwall project.
If you are interested, see:

http://www.openwall.com (CONFIG_SECURE_FD_0_1_2)
http://lsm.immunix.org (CONFIG_OWLSM_FD)
http://grsecurity.net (CONFIG_GRKERNSEC_FD)

cheers,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Denis Vlasenko: "Re: user/system/nice accounting (SMP): need help understanding the code"
Previous message: Sandy Harris: "Re: Adding snapshot capability to Linux"