Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs

From: Remco Post (r.post@sara.nl)
Date: Tue Apr 23 2002 - 08:57:08 EST

Next message: Harley Stenzel: "Re: BUG: 2 NICs on same network"
Previous message: Dag Bakke: "Re: BUG: 2 NICs on same network"
In reply to: Alex Riesen: "Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs"
Next in thread: Chris Wright: "Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

having thought about this problem for a day or so, I don't think this is
a kernel issue. One cannot simply solve typical userland problems in the
OS. The only proper way to solve this is for apps to check that fd 0 1 2
are open before they open any file or try to write to any of those fd's.
Maybe the code that is executed before main is called can perform these
checks, but certainly not a kernel...

Guess that from now on app developers will have to do even more checking
on their environment before they use it...

On Tue, 23 Apr 2002 14:02:39 +0200
"Alex Riesen" <Alexander.Riesen@synopsys.com> wrote:

> > is nothing specified when it comes to closed file descpriptors
> > across execve(), notably FD's 0, 1 and 2 are certainly not required
> > to be open across an execve() of a SUID/SGID applictaion. One could
> > argue that SUID/SGID apps that trust the file descriptors they
> > inherit across exec() are buggy.
> >
> > Having said that, there are a number of implementations of this type
> > of protection for the linux kernel stemming from the Openwall
> > project. If you are interested, see:
> >
> > http://www.openwall.com (CONFIG_SECURE_FD_0_1_2)
> > http://lsm.immunix.org (CONFIG_OWLSM_FD)
> > http://grsecurity.net (CONFIG_GRKERNSEC_FD)
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-kernel" in the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

-- Met vriendelijke groeten,

Remco Post

SARA - Stichting Academisch Rekencentrum Amsterdam http://www.sara.nl High Performance Computing Tel. +31 20 592 8008 Fax. +31 20 668 3167

"I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Harley Stenzel: "Re: BUG: 2 NICs on same network"
Previous message: Dag Bakke: "Re: BUG: 2 NICs on same network"
In reply to: Alex Riesen: "Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs"
Next in thread: Chris Wright: "Re: [SECURITY] FDs 0, 1, 2 for SUID/SGID programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Apr 23 2002 - 22:00:35 EST