From nobody  Thu May  8 08:12:44 1997
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA02039;
          Thu, 8 May 1997 08:12:44 -0700 (PDT)
Message-Id: <199705081512.IAA02039@hub.freebsd.org>
Date: Thu, 8 May 1997 08:12:44 -0700 (PDT)
From: mfuhr@dimensional.com
To: freebsd-gnats-submit@freebsd.org
Subject: ktrace works even if no read permission
X-Send-Pr-Version: www-1.0

>Number:         3546
>Category:       kern
>Synopsis:       ktrace works even if no read permission
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May  8 08:20:01 PDT 1997
>Closed-Date:    Mon Jul 26 01:30:39 PDT 1999
>Last-Modified:  Mon Jul 26 01:33:18 PDT 1999
>Originator:     Michael Fuhr
>Release:        2.2-STABLE
>Organization:
Unspecified
>Environment:
FreeBSD winnie.pooh.org 2.2-STABLE FreeBSD 2.2-STABLE #0:
Wed May  7 19:19:10 MDT 1997
root@winnie.pooh.org:/usr/src/sys/compile/WINNIE-CDROM  i386
>Description:
Process tracing (options KTRACE) works on executables that
have no read permission (--x--x--x), even for group or others.
Read permission is usually turned off to keep users from knowing
some information about how the program works or what files it
accesses.

Granted that security by obscurity isn't a good policy, but some
people prefer to use it anyway, just to make the cracker's job
a little harder.
>How-To-Repeat:
1.  Write a "hello, world" program in C and compile it.
2.  Put the program in a world-accessible directory.
3.  chmod 111 program
4.  Run "ktrace program" as a different user.
5.  Run "kdump" as the different user.

>Fix:
Haven't investigated thoroughly.  Probably an additional check
in kern/kern_trace.c, function ktrcanset().
>Release-Note:
>Audit-Trail:

From: <jkoshy@FreeBSD.org>
To: freebsd-gnats-submit@freebsd.org, mfuhr@dimensional.com
Cc: phk@FreeBSD.org, bde@FreeBSD.org
Subject: Re: kern/3546: ktrace works even if no read permission
Date: Tue, 20 Jul 1999 00:36:08 -0700 (PDT)

 The patch to disallow `ktrace' on executables w/o read perms
 turns out to be simple, and has no effect when tracing is not
 in enabled.  Here is a excerpt from a session with the new 
 functionality:
 
     (nemesis) $ ./a.out
     hello world
 
     (nemesis) $ ll a.out
     343 -r-xr-xr-x  1 jkoshy  wheel  3308 Jul 20 12:18 a.out
 
     (nemesis) $ ktrace ./a.out
     hello world
 
     (nemesis) $ chmod a-r ./a.out
 
     (nemesis) $ ./a.out
     hello world
 
     (nemesis) $ ktrace ./a.out
     ktrace: exec of './a.out' failed: Permission denied
 
     (nemesis) $ rm ktrace.out
 
     (nemesis) $ su test -c "ktrace ./a.out"
     Password:
     ktrace: exec of './a.out' failed: Permission denied
 
     (nemesis) $ chmod a+r ./a.out
     (nemesis) $ su test -c "rm ktrace.out"
     Password:
 
     (nemesis) $ su test -c "ktrace ./a.out"
     Password:
     hello world
 
 If the patch enclosed passes review, I'd be happy to commit it and make
 the relevant changes to the manual pages.
 
 Regards,
 Koshy
 <jkoshy@freebsd.org>
 
 Index: kern_exec.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v
 retrieving revision 1.99
 diff -u -r1.99 kern_exec.c
 --- kern_exec.c	1999/04/27 11:15:55	1.99
 +++ kern_exec.c	1999/07/20 12:49:53
 @@ -26,6 +26,8 @@
   *	$Id: kern_exec.c,v 1.99 1999/04/27 11:15:55 phk Exp $
   */
  
 +#include "opt_ktrace.h"
 +
  #include <sys/param.h>
  #include <sys/systm.h>
  #include <sys/sysproto.h>
 @@ -48,6 +50,9 @@
  #include <sys/sysctl.h>
  #include <sys/vnode.h>
  #include <sys/buf.h>
 +#ifdef	KTRACE
 +#include <sys/ktrace.h>
 +#endif
  
  #include <vm/vm.h>
  #include <vm/vm_param.h>
 @@ -683,6 +688,18 @@
  	if (error)
  		return (error);
  
 +#ifdef	KTRACE
 +	/*
 +	 *  If the current process is being traced, we must have
 +	 *  read permissions to the image being exec'ed.
 +	 */
 +
 +	if ((p->p_traceflag & KTRFAC_MASK) &&
 +	    ((error = VOP_ACCESS(vp, VREAD, p->p_ucred, p)) != 0))
 +			return EACCES;
 +#endif
 +		
 +		
  	/*
  	 * Check number of open-for-writes on the file and deny execution
  	 * if there are any.
 

From: Tim Vanderhoek <vanderh@ecf.utoronto.ca>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/3546
Date: Sat, 24 Jul 1999 17:55:39 -0400

 On Sat, Jul 24, 1999 at 11:24:39AM -0600, Nate Williams wrote:
 > > 
 > > PR bin/3546 asks that `ktrace(1)' not be allowed on files that do not have
 > > read permissions for the user attempting to execute them.
 > > 
 > > The intent of this change is to prevent a user from seeing how an
 > > executable with '--x--x--x' perms works by ktrace'ing its execution.  
 > > 
 > > My question to the -hackers is: is this a useful semantic?  Would it break
 > > anything if added?
 > 
 > If we make kernel auditing based upon KTRACE (which may or may not
 > happen), this is not a useful change since we need to be able to 'audit'
 > system calls regardless of whether or not KTRACE is used.  If this kind
 > of addition is done, then it'll have to be removed since system auditing
 > must occur and be essentially 'independant' of what options are used.
 > 
 > If adding auditing has a negative effect on the successful completion of
 > a system call, then it's not going to be used.  (There are certain
 > things that can't be avoided, such as additional CPU/memory use, but it
 > should not effect whether or not the syscall is completed.)
 > 
 > Also, I believe that KTRACE should be allowed since security through
 > obscurity isn't a good reason to avoid letting the user see the
 > syscall.  If security is an issue, KTRACE shouldn't be in the system
 > kernel.
 > 
 > 
 > Nate
 > 
 > 
 > To Unsubscribe: send mail to majordomo@FreeBSD.org
 > with "unsubscribe freebsd-hackers" in the body of the message
 
 -- 
 -- 
 This is my .signature which gets appended to the end of my messages.
 

From: <jkoshy@FreeBSD.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: kern/3546: ktrace works even if no read permission
Date: Mon, 26 Jul 1999 01:23:51 -0700 (PDT)

 Post discussion on -hackers, there is enough evidence to argue that the
 change does not add significantly to security:
 
 Summary of arguments against the change:
 
 *	[imp@freebsd.org] A libc wrapper which logs syscall entry points
 	(userland tracing) can bypass the check.
 
 *	[sef@freebsd.org] A core dump can still expose the program text.
 	`procfs' and `ptrace' can be used to examine the process contents.
 	Making security conscious programs setuid in the presence of
 	KTRACE is a better approach.
 
 I will close the PR shortly.
 
 Koshy
 <jkoshy@freebsd.org>
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: jkoshy 
State-Changed-When: Mon Jul 26 01:30:39 PDT 1999 
State-Changed-Why:  
The change has been vetoed on the grounds that the proposed 
fix does not add significantly to security.  Please see the  
PR audit-trail for a more detailed explanation.  Thanks for  
raising the PR though. 
>Unformatted:
