看板FB_security
標 題Re: Opinion on checking return value of setuid(getuid())?
發信站NCTU CS FreeBSD Server (Mon Oct 1 21:49:01 2012)
轉信站ptt!csnews.cs.nctu!news.cs.nctu!FreeBSD.cs.nctu!freebsd.org!owner-free
--a0kvDU9Y5772Ejco
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Oct 01, 2012 at 12:31:21PM +0200, Erik Cederstrand wrote:
> I'm looking through the clang analyzer reports and found this one: http:/=
/scan.freebsd.your.org/freebsd-head/sbin.ping/2012-09-30-amd64/report-R9ZgC=
6.html#EndPath
>=20
> It's complaining that, if setuid() fails for some reason, the process wil=
l continue with root privileges because the process is suid root.
>=20
> At first glance, it seems unnecessary to check the return value of "setui=
d(getuid())" since the user should always be able to drop privileges to its=
elf. So I filed this bug with LLVM:
http://llvm.org/bugs/show_bug.cgi?id=3D=
13979
>=20
> It turns out that setuid() *may* fail if the user hits its process limit.=
Apparently FreeBSD doesn't check the limit in the specific setuid(getuid()=
) case (I can't find the code anywhere right now) so this is not an issue, =
but Linux does. However, if FreeBSD decides to change the setuid() implemen=
tation at some point, the issue may surface again.
>=20
> A simple fix would be something like:
>=20
> Index: /freebsd/repos/head_scratch/src/sbin/ping/ping.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- /freebsd/repos/head_scratch/src/sbin/ping/ping.c (revision 240960)
> +++ /freebsd/repos/head_scratch/src/sbin/ping/ping.c (working copy)
> @@ -255,7 +255,8 @@
> s =3D socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
> sockerrno =3D errno;
> =20
> - setuid(getuid());
> + if (setuid(getuid()) !=3D 0)
> + err(EX_NOPERM, "setuid() failed");
> uid =3D getuid();
> =20
> alarmtimeout =3D df =3D preload =3D tos =3D 0;
>=20
>=20
> There's an alternative approach for NetBSD with a patch to kern_exec.c he=
re:
http://mail-index.netbsd.org/tech-security/2008/01/12/msg000026.html bu=
t I have no idea if this applies to FreeBSD.
>=20
> I'd like an opinion on which way to go before filing PRs because we have =
around 200 of these warnings in the FreeBSD repo.
>=20
> Thanks,
> Erik_______________________________________________
setuid() might also fail for other reasons, e.g. due to custom MAC module.
In case of ping, does the failure of dropping the suid bit is important ?
--a0kvDU9Y5772Ejco
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (FreeBSD)
iEYEARECAAYFAlBpdR0ACgkQC3+MBN1Mb4ggdgCgsSvcMGGhjl+hLr2f4R7jfQNs
jnwAn2E+gAplg2dhGGUcWqMIpmQf+/l7
=68KI
-----END PGP SIGNATURE-----
--a0kvDU9Y5772Ejco--