Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---1059840008-463575604-1187359638=:25626
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 17 Aug 2007, Glynn Clements wrote:
> > Really? An what if we fork right after startup and perform operations as a
> > child?
>
> That would work, but might have undesirable consequences of its own.
>
> In particular, it prevents a non-malicious caller from using PDEATHSIG
> to send e.g. SIGINT, which the setuid program may reasonably handle.
>
So I don't understand you, whether is the bug in question a DoS issue or not in
your opinion? IOW, do we need to reset pdeath_signal on exec()ing the
setuid/setgid binary or not?
> > > SIGKILL and SIGSTOP cannot be blocked, handled or ignored.
> >
> > As for SIGKILL, I again repeat that the program must operate in a fail safe way
> > when that makes sense.
>
> It's really a question of whether it's possible rather than "making
> sense". Eliminating critical sections is desirable, but it isn't
> always possible.
>
Of course, critical sections are unavoidable, but there can be measures
undertaken to minimize their impact. That is what I talk about.
> > BTW, SIGKILL and SIGSTOP can be issued by an O_ASYNC file I/O also (look in
> > fcntl(2) at F_SETSIG section). If you use F_SETSIG for sending SIGKILL or
> > SIGSTOP, there's nothing to be done with that - that behaviour is well
> > documented and setuid root program must know which file descriptor should be
> > closed to prevent that, which is of course not possible. The only cure here is
> > closing every file descriptor above 2, but that is still insufficient, since
> > fcntl() might be issued on file descriptors from 0 to 2.
>
> The fcntl(2) manpage says:
>
> Sending a signal to the owner process (group) specified by
> F_SETOWN is subject to the same permissions checks as are
> described for kill(2), where the sending process is the one that
> employs F_SETOWN (but see BUGS below).
>
> Also, note the use of the term "permissions checks"; this is
> considered a security mechanism.
>
Yes, I just learned that from the kernel source, so my apologies for the false
alarm :-)
> > And this IS generally impossible. Once spawned setuid root binary that will
> > send a signal while dying, you have no control over the moment the signal is
> > being sent at. The exploitation scenario for this bug is a bit artificial.
>
> IMO, privilege elevation is a security issue regardless of whether or
> not one can provide a "useful" scenario immediately upon the issue
> becoming known.
>
I talked about the severity of this bug here. I see it's much simpler to post
the patch fixing it rather than endlessly discussing it here. Anyway, I'm not
inclined to consider signals a reliable and secure information source. They are
rather a subsidiary facility. Attached a patch that is meant to fix a bug in
question.
--
Sincerely Your, Dan.
---1059840008-463575604-1187359638=:25626
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="linux-2.6.22-pdeathsig.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.44.0708171807180.25626@D00M.lightwave.net.ru>
Content-Description: Patch against Linux 2.6.22 to fix PDEATHSIG bug
Content-Disposition: attachment; filename="linux-2.6.22-pdeathsig.patch"
LS0tIGxpbnV4LTIuNi4yMi9mcy9leGVjLmMucGRlYXRoc2lnCTIwMDctMDct
MDkgMDM6MzI6MTcuMDAwMDAwMDAwICswNDAwDQorKysgbGludXgtMi42LjIy
L2ZzL2V4ZWMuYwkyMDA3LTA4LTE3IDE4OjAxOjI3LjAwMDAwMDAwMCArMDQw
MA0KQEAgLTg5Niw2ICs4OTYsMTYgQEANCiAJCXN1aWRfa2V5cyhjdXJyZW50
KTsNCiAJCWN1cnJlbnQtPm1tLT5kdW1wYWJsZSA9IHN1aWRfZHVtcGFibGU7
DQogCX0NCisJLyoNCisJICogQ2xlYXIgb3V0IHBkZWF0aF9zaWduYWwgZm9y
IHNldHVpZCBleGVjdXRhYmxlcy4NCisJICogVGhpcyBmaXhlcyBhIGJ1ZyB3
aGVyZSBnZW5lcmFsIGtpbGwoKSBwZXJtaXNzaW9uIGNoZWNrcw0KKwkgKiBj
YW4gYmUgZWZmZWN0aXZlbHkgYnlwYXNzZWQgYnkgYWJ1c2luZyBzZXR1aWQg
ZXhlY3V0YWJsZXMuDQorCSAqIE5vdGUsIHdlIGRvbid0IGRvIHRoYXQgZm9y
IHNldGdpZCBleGVjdXRhYmxlcywgc2luY2Uga2lsbCgpDQorCSAqIHBlcm1p
c3Npb24gY2hlY2tpbmcgcm91dGluZSBjaGVja3Mgb25seSBFVUlEL1VJRCB0
byBVSUQvU1VJRA0KKwkgKiBtYXRjaGluZywgc28gc2V0Z2lkIHByb2Nlc3Nl
cyBjYW4gYmUga2lsbGVkIGluIGEgdXN1YWwgd2F5Lg0KKyAgICAgICAgICov
DQorCWlmIChicHJtLT5lX3VpZCAhPSBjdXJyZW50LT5ldWlkKQ0KKwkJY3Vy
cmVudC0+cGRlYXRoX3NpZ25hbCA9IDA7DQogDQogCS8qIEFuIGV4ZWMgY2hh
bmdlcyBvdXIgZG9tYWluLiBXZSBhcmUgbm8gbG9uZ2VyIHBhcnQgb2YgdGhl
IHRocmVhZA0KIAkgICBncm91cCAqLw0K
---1059840008-463575604-1187359638=:25626--
討論串 (同標題文章)
完整討論串 (本文為第 19 之 24 篇):