diff options
| author | Sergey Bugaev <bugaevc@gmail.com> | 2021-05-29 17:56:38 +0300 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2022-08-10 22:15:20 +0200 |
| commit | ffead1cbcaa1db5db525403043e27d618af8752b (patch) | |
| tree | 1ec345c657e4d4b71e006f6eaef06b5bfc3b68a8 | |
| parent | 281396c87082d7d09a651c5f614cf3767dcc15e3 (diff) | |
libshouldbeinlibc: Do not reauthenticate proc port when secure
exec_reauth () is supposed to reauthenticate the given ports and file
descriptors with a new authentication. If the secure flag is set, this
reauthentication is happening for a future exec with the EXEC_SECURE
flag.
Now that the exec server uses proc_reauthenticate_reassign (), the process
reauthentication is done atomically with task reassignment by the exec
server. So stop doing it inside exec_reauth ().
This fixes a vulnerability where a process was able to use its
reauthenticated proc port before it got exec'ed over.
| -rw-r--r-- | libfshelp/exec-reauth.c | 13 | ||||
| -rw-r--r-- | libshouldbeinlibc/exec-reauth.c | 2 |
2 files changed, 8 insertions, 7 deletions
diff --git a/libfshelp/exec-reauth.c b/libfshelp/exec-reauth.c index d9a82974..9b6087c7 100644 --- a/libfshelp/exec-reauth.c +++ b/libfshelp/exec-reauth.c @@ -33,12 +33,13 @@ exec_reauth (auth_t auth, int secure, int must_reauth, /* If SUID or SGID is true, adds UID and/or GID respectively to the authentication in PORTS[INIT_PORT_AUTH], and replaces it with the result. - All the other ports in PORTS and FDS are then reauthenticated, using any - privileges available through AUTH. If GET_FILE_IDS is non-NULL, and the - auth port in PORTS[INIT_PORT_AUTH] is bogus, it is called to get a list of - uids and gids from the file to use as a replacement. If SECURE is - non-NULL, whether not the added ids are new is returned in it. If either - the uid or gid case fails, then the other may still be applied. */ + All the other ports in PORTS and FDS (except for PORTS[INIT_PORT_EXEC], if + SECURE ends up being true) are then reauthenticated, using any privileges + available through AUTH. If GET_FILE_IDS is non-NULL, and the auth port in + PORTS[INIT_PORT_AUTH] is bogus, it is called to get a list of uids and gids + from the file to use as a replacement. If SECURE is non-NULL, whether not + the added ids are new is returned in it. If either the uid or gid case + fails, then the other may still be applied. */ error_t fshelp_exec_reauth (int suid, uid_t uid, int sgid, gid_t gid, auth_t auth, diff --git a/libshouldbeinlibc/exec-reauth.c b/libshouldbeinlibc/exec-reauth.c index 263b1408..cd217e02 100644 --- a/libshouldbeinlibc/exec-reauth.c +++ b/libshouldbeinlibc/exec-reauth.c @@ -93,7 +93,7 @@ exec_reauth (auth_t auth, int secure, int must_reauth, else err = reauth (&ports[INIT_PORT_CRDIR], 0); } - if (!err) + if (!err && !secure) err = reauth (&ports[INIT_PORT_PROC], 1); if (!err) err = reauth (&ports[INIT_PORT_CWDIR], 0); |