From: Isaac Dunham <ibid.ag@gmail.com>
To: Brent Cook <bcook@openbsd.org>
Cc: musl@lists.openwall.com, beck@openbsd.org,
Brent Cook <brent@boundary.com>
Subject: Re: [PATCH] implement issetugid(2)
Date: Mon, 14 Jul 2014 19:40:31 -0700 [thread overview]
Message-ID: <20140715024031.GA1747@newbook> (raw)
In-Reply-To: <1405209291-1455-1-git-send-email-bcook@openbsd.org>
On Sat, Jul 12, 2014 at 05:54:51PM -0600, Brent Cook wrote:
> From: Brent Cook <brent@boundary.com>
>
> From OpenBSD 2.0 and later, NetBSD, FreeBSD, OS X and Solaris
> http://www.openbsd.org/cgi-bin/man.cgi?query=issetugid&sektion=2
<snip>
> The fix is to implement the BSD issetugid(2) interface so that a
> portable library can use its presence to determine if the underlying C
> library has a reliable way of determining the value of AT_SECURE, and by
> extension if the library is running with elevated privileges. If the
> call fails, it assumes secure mode rather than falling back to an
> insecure result.
My previous response to your last email didn't get sent to you, for which
I apologize. But to summarize:
-auxval is initialized at ELF load time, so a setuid/setgid binary will
always show up if privileges were gained.
-AT_SECURE was added before filesystem capabilities (prior to kernel 2.6.0,
I believe), so any system where checking AT_SECURE fails and auxval is properly
initialized cannot obtain privileges except by setuid/setgid*
-If auxval is not properly initialized (I'm not aware of any such cases),
it cannot be detected if getauxval() is broken, but looking up AT_E?[UG]ID
will also fail.
In other words, for the fallback used to set libc.secure to "fail open",
you would have to have a 2.4 kernel, the 2.6.x filesystem code
(including filesystem capabilities), AND no backport of AT_SECURE.
[*] Unless we start talking about rootkits; I suspect detecting rootkits
to avoid privilege escalation attacks on the rootkit via environmental
variables doesn't make that much sense. ;)
See below for further comments.
> ---
> include/unistd.h | 3 +++
> src/unistd/issetugid.c | 10 ++++++++++
> 2 files changed, 13 insertions(+)
> create mode 100644 src/unistd/issetugid.c
>
> diff --git a/include/unistd.h b/include/unistd.h
> index bb19cd8..3990c1e 100644
> --- a/include/unistd.h
> +++ b/include/unistd.h
> @@ -109,6 +109,9 @@ uid_t geteuid(void);
> gid_t getgid(void);
> gid_t getegid(void);
> int getgroups(int, gid_t []);
> +#if defined(_BSD_SOURCE)
> +int issetugid(void);
> +#endif
> int setuid(uid_t);
> int setreuid(uid_t, uid_t);
> int seteuid(uid_t);
As a point of style, #ifdef sections stand in separate blocks, after all the
non-ifdef stuff.
> diff --git a/src/unistd/issetugid.c b/src/unistd/issetugid.c
> new file mode 100644
> index 0000000..f538626
> --- /dev/null
> +++ b/src/unistd/issetugid.c
> @@ -0,0 +1,10 @@
> +#include <sys/auxv.h>
> +#include "libc.h"
> +
> +int issetugid(void)
> +{
> + size_t *auxv = libc.auxv;
> + for (; *auxv; auxv+=2)
> + if (*auxv==AT_SECURE) return auxv[1] != 0;
> + return 1;
> +}
This can be "return libc.secure;" unless you're concerned about the possibility
that someone backported filesystem capabilities to a 2.4.x kernel without
bothering to add AT_SECURE to auxval.
Thanks and hope this helps,
Isaac Dunham
next prev parent reply other threads:[~2014-07-15 2:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-12 23:54 Brent Cook
2014-07-15 0:57 ` Brent Cook
2014-07-15 0:59 ` Brent Cook
2014-07-15 2:06 ` Brent Cook
2014-07-15 2:40 ` Isaac Dunham [this message]
2014-07-15 4:31 ` Rich Felker
2014-07-15 15:54 ` Brent Cook
-- strict thread matches above, loose matches on Subject: below --
2014-07-12 17:55 Brent Cook
2014-07-12 19:20 ` Rich Felker
2014-07-12 22:18 ` Brent Cook
2014-07-12 23:32 ` Isaac Dunham
2014-07-12 20:12 ` Isaac Dunham
2014-07-12 21:23 ` Brent Cook
2014-07-13 10:39 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140715024031.GA1747@newbook \
--to=ibid.ag@gmail.com \
--cc=bcook@openbsd.org \
--cc=beck@openbsd.org \
--cc=brent@boundary.com \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).