kern/54730: [patch] root can not set arbitrary process title
Christian S.J. Peron
maneo at bsdpro.com
Mon Jul 21 16:10:21 PDT 2003
>Number: 54730
>Category: kern
>Synopsis: [patch] root can not set arbitrary process title
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 21 16:10:19 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Christian S.J. Peron
>Release: FreeBSD 5.1-RELEASE i386
>Organization:
Seccuris Inc
>Environment:
System: FreeBSD movl 5.1-RELEASE FreeBSD 5.1-RELEASE #10: Mon Jul 21 00:37:46 CDT 2003 maneo at movl:/usr/src/sys/i386/compile/RAID0 i386
>Description:
There may have been a reason for this, if anyone has
any feed back or info I would be happy to hear it.
The sysctl_kern_proc_args() sysctl handler does not
allow root to set the process title for non calling
processes.
This seems kind of odd to me considering a section of
the OID has been reserved for a process ID. In addition to that
if this restriction has been put in place for security reasons,
it can be circumvented quite easily by using the kernel memory interface.
(kvm_getprocs() kvm_read{write}() etc..)
I have enclosed a kernel patch that does the following:
1) Check to see if the calling cred is superuser.
2) If so, allow the superuser to set the process title regardless
of what process it is.
3) Otherwise make sure the user is attempting to change
the calling process's title.
4) If the target process is not the same as the calling process
and the user is not a superuser return(EPERM).
I have tested this patch and it seems to work as expected.
>How-To-Repeat:
N/A
>Fix:
--- kern_proc.c.2 Mon Jul 21 00:19:40 2003
+++ kern_proc.c Mon Jul 21 00:45:43 2003
@@ -1061,11 +1061,15 @@
return (0);
}
- if (req->newptr && curproc != p) {
- PROC_UNLOCK(p);
- return (EPERM);
+ error = suser(curthread);
+ if (error) {
+ if (req->newptr && curproc != p) {
+ PROC_UNLOCK(p);
+ return (EPERM);
+ }
}
+ error = 0;
pa = p->p_args;
pargs_hold(pa);
PROC_UNLOCK(p);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list