Re: Kill system call

Tim Wright (timw@sequent.com)
Fri, 22 Mar 1996 18:05:34 PST

Whoops,
I didn't tell the complete story in my previous email.

There are two issues.

The error return from kill() is correct in that it should return EPERM if
you try to signal a process to which you do not have permission.

However, in this case, the permission check is wrong.
See below...

In message <9603221224.AA25275=aeb@zeus.cwi.nl>,Andries.Brouwer@cwi.nl writes:
> Linus Torvalds:
>
> : Is it broken? It would be reasonably easy to fix, but do we really want to?
>
> I think so, yes. (To both questions.)
> However, the discussion has moved a bit from the original question,
> from something that was broken to something that is quite acceptable.
> The question was: Which permissions are required to send a signal?
>
> Before version 1.2.3 the Linux code was much closer to the POSIX.1
> specifications. Patch-1.2.3 contains the change
>
> diff -u --recursive --new-file v1.2.2/linux/kernel/exit.c linux/kernel/exit.c
> --- v1.2.2/linux/kernel/exit.c Thu Mar 9 20:37:36 1995
> +++ linux/kernel/exit.c Thu Mar 30 15:54:00 1995
> @@ -47,7 +47,7 @@
> if (!p || sig > 32)
> return -EINVAL;
> if (!priv && ((sig != SIGCONT) || (current->session != p->session)) &
> &
> - (current->euid != p->euid) && (current->uid != p->uid) && !suser(
> ))
> + (current->euid != p->euid) && (current->euid != p->uid) && !suser
> ())
> return -EPERM;
> if (!sig)
> return 0;
>
> and I think this was not an improvement.
> (Of course there are security implications, but I consider POSIX conformance
> more important - user programs can be fixed. Probably this means that a suid
> program must do setuid() if it does not want to be interrupted by a SIGKILL o
> r so.)

Indeed...
this is quite wrong.

Posix(1990) states:
"For a process to have permission to send a signal to a process designated by
pid, the real or effective user ID of the sending process must match the real
or effective user ID of the receiving process, unless the sending process has
appropriate privileges. If {_POSIX_SAVED_IDS} is defined, the saved set-user-ID
of the receiving process shall be checked in place of its effective user ID."

In other words the check should look like this:

if (!priv && ((sig != SIGCONT) || (current->session != p->session)) &&
(current->euid != p->euid) && (current->euid != p->uid)
(current->uid != p->euid) && (current->uid != p->euid) && !suser())
return -EPERM;

t

--
Tim Wright, Worldwide Technical Services,         |  Email: timw@sequent.com
Sequent Computer Systems Inc., 15450,             |
SW Koll Parkway, Beaverton, Oregon 97006          |  Phone: +1-503-578-3822
"Nobody ever said I was charming, they said "Rimmer, you're a git!"" RD VI