From _@shell.r4k.net  Wed May 22 12:24:06 2002
Return-Path: <_@shell.r4k.net>
Received: from r4k.net (r4k.net [212.26.197.210])
	by hub.freebsd.org (Postfix) with ESMTP id 5A2D937B407
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 22 May 2002 12:24:05 -0700 (PDT)
Received: from shell.r4k.net (localhost [127.0.0.1])
	by r4k.net (Postfix) with ESMTP id BC41F22EFE
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 22 May 2002 21:24:00 +0200 (CEST)
Received: (from _@localhost)
	by shell.r4k.net (8.12.2/8.12.2/Submit) id g4MJNwXr087495;
	Wed, 22 May 2002 21:23:58 +0200 (CEST)
Message-Id: <200205221923.g4MJNwXr087495@shell.r4k.net>
Date: Wed, 22 May 2002 21:23:58 +0200 (CEST)
From: Stephanie Wehner <_@r4k.net>
Reply-To: Stephanie Wehner <_@r4k.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] getgpid and getsid work for processes outside the current jail
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         38429
>Category:       kern
>Synopsis:       [PATCH] getgpid and getsid work for processes outside the current jail
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 22 12:30:01 PDT 2002
>Closed-Date:    Sun May 28 07:53:51 GMT 2006
>Last-Modified:  Sun May 28 07:53:51 GMT 2006
>Originator:     Stephanie Wehner
>Release:        FreeBSD 4.6-RC i386
>Organization:
>Environment:
>Description:

It is possible to obtain the process group id and the session id
of processes running outside the current jail. This is due to the
fact that getsid and getgpid in sys/kern/kern_prot.c do not check
if the pid that is found is within the current jail.

It is also possible to check for the existance of a process with a 
certain pid using inconsitencies in error messages. Eg ps will simply
return nothing if queried for a certain pid. Kill, or ktrace for example
will however give EPERM instead of ESRCH if the process exists but is 
not within the  current jail.  This is not included in this patch, 
as I wasn't sure how you want to handle this. I'll mail about it to 
freebsd-security

>How-To-Repeat:

run this inside a jail with a pid of a process outside the jail

/*
 * small prog to test for the existance of a given process id
 * outside the current jail, using both getsid and getgpid for
 * demonstration purposes.
 * - <_@r4k.net>
 */

#include <stdio.h>
#include <unistd.h>

int main(int argc, char **argv) {

    pid_t pid,gpid,spid;

    if(argv[1] == NULL) {
        fprintf(stderr,"Usage: checkpid [pid]\n");
	exit(-1);
    }

    pid = atoi(argv[1]);

    if((spid = getsid(pid)) < 0) {
        perror("getsid:");
	exit(-1);
    }

    if((gpid = getpgid(pid)) < 0) {
        perror("getsid:");
	exit(-1);
    }

    printf("Session id is %d\n",spid);
    printf("Process group is %d\n",gpid);
}

>Fix:
Please note that this fix returns ESRCH when the process is not found 
and not EPERM, as if the process wouldn't exist at all.   

*** sys/kern/kern_prot.c.old	Tue May 21 22:49:19 2002
--- sys/kern/kern_prot.c	Tue May 21 23:47:17 2002
***************
*** 137,142 ****
--- 137,150 ----
  
  	if ((pt = pfind(uap->pid)) == 0)
  		return ESRCH;
+ 
+         /*
+          * return ESRCH as if the process was non existant
+ 	 * if it is jailed off
+          */
+ 
+         if (!PRISON_CHECK(curproc, pt))
+                 return ESRCH;
  found:
  	p->p_retval[0] = pt->p_pgrp->pg_id;
  	return 0;
***************
*** 164,169 ****
--- 172,185 ----
  
  	if ((pt = pfind(uap->pid)) == 0)
  		return ESRCH;
+ 
+ 	/* 
+ 	 * return ESRCH as if the process was non existant
+ 	 * if it is jailed off
+ 	 */
+ 
+         if (!PRISON_CHECK(curproc, pt))
+         	return ESRCH;
  found:
  	p->p_retval[0] = pt->p_session->s_sid;
  	return 0;

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: matteo 
State-Changed-When: Sun May 28 07:53:19 UTC 2006 
State-Changed-Why:  
This seems to have been fixed.  

http://www.freebsd.org/cgi/query-pr.cgi?pr=38429 
>Unformatted:
                 also, exsitance of a process with a certain pid can be verified
 >System: FreeBSD beyond.r4k.net 4.6-RC FreeBSD 4.6-RC #5: Wed May 22 11:02:24 CEST 2002 atrak@beyond.r4k.net:/usr/src/sys/compile/BEYOND i386
 
     fbsd RC6 as of monday 20/05/02
 
