kern/54730: [patch] root can not set arbitrary process title

Christian S.J. Peron maneo at bsdpro.com
Mon Jul 21 16:10:21 PDT 2003 

>Number:         54730
>Category:       kern
>Synopsis:       [patch] root can not set arbitrary process title
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 21 16:10:19 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian S.J. Peron
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
Seccuris Inc
>Environment:
System: FreeBSD movl 5.1-RELEASE FreeBSD 5.1-RELEASE #10: Mon Jul 21 00:37:46 CDT 2003 maneo at movl:/usr/src/sys/i386/compile/RAID0 i386


	
>Description:
	There may have been a reason for this, if anyone has
	any feed back or info I would be happy to hear it.

	The sysctl_kern_proc_args() sysctl handler does not
	allow root to set the process title for non calling
	processes.

	This seems kind of odd to me considering a section of
	the OID has been reserved for a process ID. In addition to that
	if this restriction has been put in place for security reasons,
	it can be circumvented quite easily by using the kernel memory interface.
	(kvm_getprocs() kvm_read{write}() etc..)

	I have enclosed a kernel patch that does the following:

	1) Check to see if the calling cred is superuser.
	2) If so, allow the superuser to set the process title regardless
	   of what process it is.
	3) Otherwise make sure the user is attempting to change
	   the calling process's title.
	4) If the target process is not the same as the calling process
	   and the user is not a superuser return(EPERM).

	I have tested this patch and it seems to work as expected.

	
>How-To-Repeat:
	N/A
	
>Fix:

--- kern_proc.c.2	Mon Jul 21 00:19:40 2003
+++ kern_proc.c	Mon Jul 21 00:45:43 2003
@@ -1061,11 +1061,15 @@
 		return (0);
 	}
 
-	if (req->newptr && curproc != p) {
-		PROC_UNLOCK(p);
-		return (EPERM);
+	error = suser(curthread);
+	if (error) {
+		if (req->newptr && curproc != p) {
+			PROC_UNLOCK(p);
+			return (EPERM);
+		}
 	}
 
+	error = 0;
 	pa = p->p_args;
 	pargs_hold(pa);
 	PROC_UNLOCK(p);
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list