From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/458 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: fd 0-2 on SUID/SGID program startup Date: Thu, 25 Aug 2011 18:54:27 -0400 Message-ID: <20110825225427.GH132@brightrain.aerifal.cx> References: <20110822170754.GA16515@openwall.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: dough.gmane.org 1314313000 23486 80.91.229.12 (25 Aug 2011 22:56:40 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 25 Aug 2011 22:56:40 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-459-gllmg-musl=m.gmane.org@lists.openwall.com Fri Aug 26 00:56:36 2011 Return-path: Envelope-to: gllmg-musl@lo.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by lo.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1Qwiqi-0001Ft-1M for gllmg-musl@lo.gmane.org; Fri, 26 Aug 2011 00:56:36 +0200 Original-Received: (qmail 30591 invoked by uid 550); 25 Aug 2011 22:56:35 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 30583 invoked from network); 25 Aug 2011 22:56:35 -0000 Content-Disposition: inline In-Reply-To: <20110822170754.GA16515@openwall.com> User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.linux.lib.musl.general:458 Archived-At: On Mon, Aug 22, 2011 at 09:07:54PM +0400, Solar Designer wrote: > Rich, > > As you're probably aware, glibc makes sure that fd 0-2 are open on > SUID/SGID program startup (opening them to /dev/null / /dev/full if > they're not already open). This is needed to prevent misdirected > reads/writes by programs that use those well-known fd's (in fact, even > libc itself does) yet also open other files/sockets/whatever (so it may > get opened on one of these special fd's if they're not already taken). > > I think musl must have the same countermeasure. I think it lacks it > currently. > > Do you agree? I committed code that should handle these cases. The only difference from the suid check in the dynamic linker is that it does not treat the absence of the aux vector entries as "secure mode". As far as I know it's a non-issue anyway because there is no remotely-secure version of Linux which fails to pass a complete aux vector, but in the case where it's not possible to determine, I considered it more correct not to mess with fd 0-2, since doing so for non-suid programs is non-conforming and potentially breaks things badly. If there's any real-world case where the aux vector is missing/incomplete, perhaps I could make fallback code that calls gete?[ug]id() to do the check.. I'd welcome input on whether you think it's necessary. Rich