From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <musl-return-20606-ml=inbox.vuxu.org@lists.openwall.com>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.1 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4,
	RCVD_IN_MSPIKE_WL,T_SCC_BODY_TEXT_LINE autolearn=ham
	autolearn_force=no version=3.4.4
Received: from second.openwall.net (second.openwall.net [193.110.157.125])
	by inbox.vuxu.org (Postfix) with SMTP id ED2252121C
	for <ml@inbox.vuxu.org>; Mon, 11 Mar 2024 20:47:50 +0100 (CET)
Received: (qmail 3190 invoked by uid 550); 11 Mar 2024 19:43:40 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 3164 invoked from network); 11 Mar 2024 19:43:40 -0000
Date: Mon, 11 Mar 2024 15:47:56 -0400
From: Rich Felker <dalias@libc.org>
To: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>
Cc: Andreas Schwab <schwab@suse.de>, Alejandro Colomar <alx@kernel.org>,
	Thorsten Glaser <tg@mirbsd.de>, musl@lists.openwall.com,
	NRK <nrk@disroot.org>, Guillem Jover <guillem@hadrons.org>,
	libc-alpha@sourceware.org, libbsd@lists.freedesktop.org,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Iker Pedrosa <ipedrosa@redhat.com>,
	Christian Brauner <christian@brauner.io>
Message-ID: <20240311194756.GY4163@brightrain.aerifal.cx>
References: <Ze2y-UNcfLNZypYu@debian>
 <mr7ct4d47hn7bkhlj2ktcossu2q663pre6ggc5elkprveu4r3t@xowlfk5bccce>
 <20240310193956.GU4163@brightrain.aerifal.cx>
 <Pine.BSM.4.64L.2403102322220.18628@herc.mirbsd.org>
 <20240310234410.GW4163@brightrain.aerifal.cx>
 <Pine.BSM.4.64L.2403110017360.18628@herc.mirbsd.org>
 <Ze5UdYsZ6H9i6lMd@debian>
 <CAEOG19qSWnH6WVuTCVZLfTr1HhZnu_W86r7B-64CJrRvhyh_zQ@mail.gmail.com>
 <mvmmsr4ole0.fsf@suse.de>
 <CAEOG19pPhJzJo+3aKV_jUt3GDbH61y44DQNzKEjYxkf=nR-9aQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEOG19pPhJzJo+3aKV_jUt3GDbH61y44DQNzKEjYxkf=nR-9aQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [musl] Re: Tweaking the program name for <err.h> functions

On Mon, Mar 11, 2024 at 11:30:04AM -0400, Skyler Ferrante (RIT Student) wrote:
> Hmm, maybe I'm missing something, but it seems you can close(fd) for
> the standard fds and then call execve, and the new process image will
> have no fd 0,1,2. I've tried this on a default Ubuntu 22.04 system.
> This seems to affect shadow-utils and other setuid/setgid binaries.
> 
> Here is a repo I built for testing,
> https://github.com/skyler-ferrante/fd_omission/. What is the correct
> glibc behavior? Am I misunderstanding something?

As Florian noted, you're missing that strace cannot invoke it suid.
POSIX explicitly permits the implementation to open these fds if they
started closed in suid execs, and IIRC indicates as a future direction
that it might be permitted for all execs. We do the same in musl in
the suid case. So really the only way that "writing attacker
controlled prefix strings to fd 2" becomes an issue is if the
application erroneously closes fd 2 and lets something else get opened
on it.

(Aside: making _FORTIFY_SOURCE>1 trap close(n) with n<3 would be an
interesting idea... :)

Rich