[PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds

Zachary Amsden (amsdenz@aavid.com)
Mon, 3 Aug 1998 11:56:24 -0400

If a priviledged process is exec'd by a user who closes
file descriptors on it, many poorly written programs do
not notice and libc printf functions may have access to
any files opened. This can be used to crash the system
by corrupting memory or in some cases, compromise root.

This doesn't attempt to fix the fds for such a process,
that would be not quite right in a chrooted environment
with no /dev/null, and creating fake dentries and inode
is too much work for something that is not quite useful

Instead, we just fall through the standard error checks
and return EPERM

P.S Linus and Alan - my earlier version of this got
mangled, this is the real one.

Zachary Amsden
amsden@andrew.cmu.edu

begin 666 suidbadfd.txt
M+2TM(&QI;G5X+V9S+V5X96,N8RYO;&0)1G)I($IU;" S,2 Q,3HS-CHT.2 Q
M.3DX#0HK*RL@;&EN=7@O9G,O97AE8RYC"4UO;B!!=6<@(#,@,3$Z-3 Z,3(@
M,3DY. T*0$ @+38U-2PQ," K-C4U+#$W($! #0H@"0DO*B!792!C86XG="!S
M=6ED+65X96-U=&4@:68@=V4G<F4@<VAA<FEN9R!P87)T<R!O9B!T:&4@97AE
M8W5T86)L92 J+PT*( D)+RH@;W(@:68@=V4G<F4@8F5I;F<@=')A8V5D("AO
M<B!I9B!S=6ED(&5X96-S(&%R92!N;W0@86QL;W=E9"D@(" @*B\-"B )"2\J
M("AC=7)R96YT+3YM;2T^8V]U;G0@/B Q(&ES(&]K+"!A<R!W92=L;"!G970@
M82!N97<@;6T@86YY=V%Y*2 @("HO#0HK"0DO*B!!;'-O(&1O;B=T('-U:60M
M97AE8R!P<F]C<R!W:71H(&)A9" P+#$L,B!F9',@9F]R('-E8W5R:71Y("U:
M02 J+PT*( D):68@*$E37TY/4U5)1"AI;F]D92D-"B )"2 @("!\?" H8W5R
M<F5N="T^9FQA9W,@)B!01E]05%)!0T5$*0T*( D)(" @('Q\("AC=7)R96YT
M+3YF<RT^8V]U;G0@/B Q*0T*( D)(" @('Q\("AA=&]M:6-?<F5A9"@F8W5R
M<F5N="T^<VEG+3YC;W5N="D@/B Q*0T**PD)(" @('Q\("%&1%])4U-%5"@P
M+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\("%&1%])
M4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)(" @('Q\
M("%&1%])4U-%5"@R+" F8W5R<F5N="T^9FEL97,M/F]P96Y?9F1S*0T**PD)
M(" @('Q\($9$7TE34T54*# L("9C=7)R96YT+3YF:6QE<RT^8VQO<V5?;VY?
M97AE8RD-"BL)"2 @("!\?"!&1%])4U-%5"@Q+" F8W5R<F5N="T^9FEL97,M
M/F-L;W-E7V]N7V5X96,I#0HK"0D@(" @?'P@1D1?25-3150H,BP@)F-U<G)E
M;G0M/F9I;&5S+3YC;&]S95]O;E]E>&5C*0T*( D)(" @('Q\("AC=7)R96YT
M+3YF:6QE<RT^8V]U;G0@/B Q*2D@>PT*(" )"0EI9B H:61?8VAA;F=E("8F
M("%C87!A8FQE*$-!4%]31515240I*0T*(" )"0D)<F5T=7)N("U%4$5233L-
!"@``
`
end

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html