bin/80798: mount_portal pipe leaves file descriptors open for child processes

Michael Hohmuth hohmuth at sax.de
Sun May 8 13:20:07 PDT 2005 

>Number:         80798
>Category:       bin
>Synopsis:       mount_portal pipe leaves file descriptors open for child processes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 08 20:20:06 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Michael Hohmuth
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
none
>Environment:
System: FreeBSD olymp.sax.de 4.11-STABLE FreeBSD 4.11-STABLE #25: Thu May 5 22:49:15 CEST 2005 root at olymp.sax.de:/usr/obj/usr/src/sys/OLYMP i386

	
>Description:
Commands invoked through the portal file system's "pipe" namespace
inherit some file descriptors from the mount_portal daemon.  This has
two undesirable effects:

1. Files used by mount_portal, including the socket it uses for
   communicating with the kernel part of the portal file system, are
   available to the spawned command.  This could be a security problem.

2. The inactive end of the pipe (stdin for programs whose output is
   read, and stdout for programs that are fed input) is wired to
   /dev/null.  As this is hard or impossible to detect from within the
   program, it is virtually impossible to write programs that can act
   both as the read and the write end of the pipe.  However, this type
   of program is desirable for programs acting as gateways or
   translators.

>How-To-Repeat:
Install a current copy of "lsof", the run the follwing commands (as
any user):

echo 'lsof -p $$' > /tmp/lsof
cat '/p/pipe/bin/sh /tmp/lsof'

You should see something like this:

COMMAND  PID    USER   FD   TYPE     DEVICE SIZE/OFF  NODE NAME
sh      7628 hohmuth  cwd   VDIR 116,196608     1024     2 /
sh      7628 hohmuth  rtd   VDIR 116,196608     1024     2 /
sh      7628 hohmuth  txt   VREG 116,196608   461440 44131 /bin/sh
sh      7628 hohmuth    0u  VCHR        2,2     0t35 21979 /dev/null
sh      7628 hohmuth    1u  PIPE 0xce0222a0    16384       ->0xce0223e0
sh      7628 hohmuth    2u  PIPE 0xce0227a0    16384       ->0xce022020
sh      7628 hohmuth    3r  VREG 116,196608     1070 22651 /etc/fstab
sh      7628 hohmuth    5u  unix 0xcc9bb140      0t0       /tmp/portalILOGROXwic
sh      7628 hohmuth   10r  VREG      253,0       11    56 /tmp/lsof

As you can see, the spawned shell still has /etc/fstab and
/tmp/portalILOGROXwic open (problem 1), and stdin is wired to
/dev/null (problem 2).

>Fix:

To fix problem 1: Close (or do not inherit) all file descriptors >= 3
before execing the child program.

To fix problem 2: Close the child program's stdin when ``reading from
the program,'' or stdout when ``writing to the program,''
respectively.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list