[kde-freebsd] virtualbox file dialog problem
Andriy Gapon
avg at FreeBSD.org
Wed Aug 28 12:24:29 UTC 2013
on 28/08/2013 15:09 Andriy Gapon said the following:
> Now a description of the problem.
>
> 1. VirtualBox executable is installed setuid root. Apparently, when it is run
> it does some privileged things and then drops all of the uids and gids (real,
> effective and saved) back to what they should have been originally.
> VirtualBox does not do any (re-)exec of itself after the above manipulations.
>
> 2. issetugid(2) (which is apparently a BSD extension) on FreeBSD does not
> consider the above manipulations as sufficient to mark an executable as
> untainted. So it would return 1 for the VirtualBox process.
>
> 3. dbus code seems to impose some limitations on communication by such "tainted"
> processes. It has the following code:
> http://cgit.freedesktop.org/dbus/dbus/tree/dbus/dbus-sysdeps-unix.c#n4139
> For web-impaired :) the gist is that on BSD systems the code uses issetugid but
> on other systems (like Linux) it uses getresuid and getresgid and checks that
> all 3 uids are the same and all 3 gids are the same.
>
> As a result, on FreeBSD the dbus code would consider the VirtualBox process
> tainted and that impairs its communication with KDE components.
> On systems without issetugid or those that implement it differently, dbus would
> work as for a normal process and all the communications are OK.
>
> I've also verified this conclusion by forcing dbus to use the alternative logic
> on FreeBSD.
>
> So, possible solutions:
[snip]
> B. change VirtualBox to be friendly to FreeBSD issetugid(2) and exec itself
> after dropping the privileges
[snip]
BTW, I've just found this "interesting" code in the VirtualBox sources (forgive
me a full paste, but I couldn't resist):
#if defined(RT_OS_DARWIN)
# include <dlfcn.h>
# include <sys/mman.h>
# include <iprt/asm.h>
# include <iprt/system.h>
/** Really ugly hack to shut up a silly check in AppKit. */
static void ShutUpAppKit(void)
{
/* Check for Snow Leopard or higher */
char szInfo[64];
int rc = RTSystemQueryOSInfo (RTSYSOSINFO_RELEASE, szInfo, sizeof(szInfo));
if ( RT_SUCCESS (rc)
&& szInfo[0] == '1') /* higher than 1x.x.x */
{
/*
* Find issetguid() and make it always return 0 by modifying the code.
*/
void *addr = dlsym(RTLD_DEFAULT, "issetugid");
int rc = mprotect((void *)((uintptr_t)addr & ~(uintptr_t)0xfff), 0x2000,
PROT_WRITE|PROT_READ|PROT_EXEC);
if (!rc)
ASMAtomicWriteU32((volatile uint32_t *)addr, 0xccc3c031); /* xor
eax, eax; ret; int3 */
}
}
#endif /* DARWIN */
--
Andriy Gapon
More information about the freebsd-hackers
mailing list