From gardner@gromit.dhs.org Tue Aug 24 15:48:32 1999
Return-Path: <gardner@gromit.dhs.org>
Received: from gromit.dhs.org (cr1004936-b.slnt1.on.wave.home.com [24.112.85.94])
	by hub.freebsd.org (Postfix) with ESMTP id 3DA1815893
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 Aug 1999 15:48:26 -0700 (PDT)
	(envelope-from gardner@gromit.dhs.org)
Received: (from gardner@localhost)
	by gromit.dhs.org (8.9.2/8.9.2) id SAA83944;
	Tue, 24 Aug 1999 18:48:10 -0400 (EDT)
	(envelope-from gardner)
Message-Id: <199908242248.SAA83944@gromit.dhs.org>
Date: Tue, 24 Aug 1999 18:48:10 -0400 (EDT)
From: Gardner <gardner@gromit.dhs.org>
Reply-To: gbuchana@home.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: Read permission to /dev/io does not grant IO to non-root processes
X-Send-Pr-Version: 3.2

>Number:         13359
>Category:       kern
>Synopsis:       Read permission to /dev/io does not grant IO to non-root processes
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 24 15:50:00 PDT 1999
>Closed-Date:    Sun Aug 12 14:11:11 PDT 2001
>Last-Modified:  Sun Aug 12 14:14:07 PDT 2001
>Originator:     Gardner Buchanan
>Release:        FreeBSD 3.1-RELEASE i386
>Organization:
>Environment:

3.2-RELEASE

>Description:

The manual page io(4) indicates that the entire access control to
port IO permission is handled by the file access permissions of
/dev/io.  This is incorrect, as the code seems also to care about
the actual process credentials.  Granting read permission to /dev/io
does not effectively grant IO priviledges to non-root processes.

>How-To-Repeat:

Running 3.2-RELEASE I encountered this, that I thought was weird:

gardner@bongo=> id
uid=300(gardner) gid=20(staff) groups=20(staff), 0(wheel)

gardner@bongo=> ls -l /dev/io
crw-rw----  1 root  wheel    2,  14 Jul 11 14:05 /dev/io

gardner@bongo=> cat /dev/io
cat: /dev/io: Operation not permitted

su-2.02# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys),
4(tty), 5(operator), 20(staff), 31(guest)

su-2.02# cat /dev/io
cat: /dev/io: Device not configured

"Device not configured" is the expected result.

The manual page io(4) still tells me:

     The entire access control is handled by the file access
     permissions of /dev/io, so care should be taken in granting
     rights for this device.  Note that even read/only access will
     grant the full I/O privileges.

Which isn't true.  In fact the code in mem.c is checking my process
credentials as well:

          case 14:
                error = suser(p->p_ucred, &p->p_acflag);
                if (error != 0)
                        return (error);
                if (securelevel > 0)
                        return (EPERM);
                curproc->p_md.md_regs->tf_eflags |= PSL_IOPL;

(I also think that reading /dev/io should give me EOF, not ENXIO)

>Fix:
	
Correct io(4) or remove the suser() check in mem.c

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: iedowse 
State-Changed-When: Sun Aug 12 14:11:11 PDT 2001 
State-Changed-Why:  

Fixed in -current by updating io(4) to match reality. I'll MFC 
to -stable after 4.4-RELEASE. Thanks for the PR! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=13359 
>Unformatted:
