From darrylo@hpnmhjw.sr.hp.com  Tue Aug 27 22:38:23 1996
Received: from relay.hp.com (relay.hp.com [15.255.152.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA01186
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 27 Aug 1996 22:38:23 -0700 (PDT)
Received: from srmail.sr.hp.com by relay.hp.com with ESMTP
	(1.37.109.16/15.5+ECS 3.3) id AA099140700; Tue, 27 Aug 1996 22:38:21 -0700
Received: from hpnmhjw.sr.hp.com by srmail.sr.hp.com with ESMTP
	(1.37.109.16/15.5+ECS 3.3) id AA143450699; Tue, 27 Aug 1996 22:38:20 -0700
Received: from mina.sr.hp.com by hpnmhjw.sr.hp.com with SMTP
	(1.37.109.16/15.5+ECS 3.3) id AA065290699; Tue, 27 Aug 1996 22:38:19 -0700
Message-Id: <199608280538.AA065290699@hpnmhjw.sr.hp.com>
Date: Tue, 27 Aug 1996 22:38:19 -0700
From: Darryl Okahata <darrylo@hpnmhjw.sr.hp.com>
Reply-To: darrylo@sr.hp.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ncrcontrol -i queries don't work for mere users
X-Send-Pr-Version: 3.2

>Number:         1548
>Category:       bin
>Synopsis:       ncrcontrol -i queries don't work for mere users
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 27 22:40:04 PDT 1996
>Closed-Date:    Mon Feb 24 22:29:45 PST 1997
>Last-Modified:  Mon Feb 24 22:30:22 PST 1997
>Originator:     Darryl Okahata
>Release:        FreeBSD 2.2-960801-SNAP i386
>Organization:
Home
>Environment:

	FreeBSD 2.2-960801-SNAP with an NCR-815-based SCSI controller.

>Description:

	Even though ncrcontrol is setgid kmem, read-only queries such as
	"ncrcontrol -i" do not work for mere users.  You must be root or
	some login that has a real group id of "kmem".

	This occurs because of code that is supposed to prevent the bad
	guys from doing arbitrary reads of kernel memory.  This code is
	supposed to be used if the running kernel is not used; however,
	there's a bug that *always* causes the code to be used, which
	prevents legal/acceptable reads of kernel memory by mere users.

>How-To-Repeat:

	On a system with an NCR-based SCSI controller, run the following
	as a mere user (non-root, non-kmem-group):

		ncrcontrol -i

>Fix:
	
	Apply the following patch.

*** ncrcontrol.c.orig	Tue Aug 27 22:13:37 1996
--- ncrcontrol.c	Tue Aug 27 22:14:51 1996
***************
*** 181,186 ****
--- 181,195 ----
  
  	if (kvm_isopen) return;
  
+ #if defined(__NetBSD__) || (__FreeBSD__ >= 2)
+ 	/*
+ 	 * Discard setgid privileges if not the running kernel so that bad
+ 	 * guys can't print interesting stuff from kernel memory.
+ 	 */
+ 	if (vmunix != NULL || kmemf != NULL)
+ 		setgid(getgid());
+ #endif
+ 
  #if (__FreeBSD__ >= 2)
  	if (!vmunix) {
  		vmunix = getbootfile();
***************
*** 190,203 ****
  		vmunix = _PATH_UNIX;
  	}
  #endif
- #if defined(__NetBSD__) || (__FreeBSD__ >= 2)
- 	/*
- 	 * Discard setgid privileges if not the running kernel so that bad
- 	 * guys can't print interesting stuff from kernel memory.
- 	 */
- 	if (vmunix != NULL || kmemf != NULL)
- 		setgid(getgid());
  
  	kvm = kvm_openfiles(vmunix, kmemf, NULL, flags, errbuf);
  	if (kvm == NULL) {
  		fprintf(stderr, "%s: kvm_openfiles: %s\n", prog, errbuf);
--- 199,206 ----
  		vmunix = _PATH_UNIX;
  	}
  #endif
  
+ #if defined(__NetBSD__) || (__FreeBSD__ >= 2)
  	kvm = kvm_openfiles(vmunix, kmemf, NULL, flags, errbuf);
  	if (kvm == NULL) {
  		fprintf(stderr, "%s: kvm_openfiles: %s\n", prog, errbuf);
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Mon Feb 24 22:29:45 PST 1997 
State-Changed-Why:  
Fixed in revs 1.11 & 1.12 of ncrcontrol.c. 
>Unformatted:
