For processes which are set-user-ID or set-group-ID, the kernel performs a few

special actions for safety. One of these is to make sure that file descriptors 0..2 are in use, by opening /dev/null for those that are not already open. Another is to close any file descriptors 0..2 that reference procfs. However, these checks were made out of order, so that it was still possible for a set-user-ID or set-group-ID process to be started with some of the file descriptors 0..2 unused. Submitted by: Georgi Guninski <guninski@guninski.com>
2002-07-30 15:38:29 +00:00 · 2002-07-30 15:38:29 +00:00 · 89ab930718
commit 89ab930718
parent 9ea8ab8314
1 changed files with 2 additions and 1 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -403,6 +403,8 @@ execve(td, uap)
 			mtx_unlock(&ktrace_mtx);
 		}
 #endif
+		/* Close any file descriptors 0..2 that reference procfs */
+		setugidsafety(td);
 		/* Make sure file descriptors 0..2 are in use.  */
 		error = fdcheckstd(td);
 		if (error != 0)
@ -415,7 +417,6 @@ execve(td, uap)
 			change_euid(newcred, euip);
 		if (attr.va_mode & VSGID)
 			change_egid(newcred, attr.va_gid);
-		setugidsafety(td);
 		/*
 		 * Implement correct POSIX saved-id behavior.
 		 */