bin/80798: mount_portal pipe leaves file descriptors open for child
processes
Michael Hohmuth
hohmuth at sax.de
Sun May 8 13:20:07 PDT 2005
>Number: 80798
>Category: bin
>Synopsis: mount_portal pipe leaves file descriptors open for child processes
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 08 20:20:06 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Michael Hohmuth
>Release: FreeBSD 4.11-STABLE i386
>Organization:
none
>Environment:
System: FreeBSD olymp.sax.de 4.11-STABLE FreeBSD 4.11-STABLE #25: Thu May 5 22:49:15 CEST 2005 root at olymp.sax.de:/usr/obj/usr/src/sys/OLYMP i386
>Description:
Commands invoked through the portal file system's "pipe" namespace
inherit some file descriptors from the mount_portal daemon. This has
two undesirable effects:
1. Files used by mount_portal, including the socket it uses for
communicating with the kernel part of the portal file system, are
available to the spawned command. This could be a security problem.
2. The inactive end of the pipe (stdin for programs whose output is
read, and stdout for programs that are fed input) is wired to
/dev/null. As this is hard or impossible to detect from within the
program, it is virtually impossible to write programs that can act
both as the read and the write end of the pipe. However, this type
of program is desirable for programs acting as gateways or
translators.
>How-To-Repeat:
Install a current copy of "lsof", the run the follwing commands (as
any user):
echo 'lsof -p $$' > /tmp/lsof
cat '/p/pipe/bin/sh /tmp/lsof'
You should see something like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sh 7628 hohmuth cwd VDIR 116,196608 1024 2 /
sh 7628 hohmuth rtd VDIR 116,196608 1024 2 /
sh 7628 hohmuth txt VREG 116,196608 461440 44131 /bin/sh
sh 7628 hohmuth 0u VCHR 2,2 0t35 21979 /dev/null
sh 7628 hohmuth 1u PIPE 0xce0222a0 16384 ->0xce0223e0
sh 7628 hohmuth 2u PIPE 0xce0227a0 16384 ->0xce022020
sh 7628 hohmuth 3r VREG 116,196608 1070 22651 /etc/fstab
sh 7628 hohmuth 5u unix 0xcc9bb140 0t0 /tmp/portalILOGROXwic
sh 7628 hohmuth 10r VREG 253,0 11 56 /tmp/lsof
As you can see, the spawned shell still has /etc/fstab and
/tmp/portalILOGROXwic open (problem 1), and stdin is wired to
/dev/null (problem 2).
>Fix:
To fix problem 1: Close (or do not inherit) all file descriptors >= 3
before execing the child program.
To fix problem 2: Close the child program's stdin when ``reading from
the program,'' or stdout when ``writing to the program,''
respectively.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list