[prev in list] [next in list] [prev in thread] [next in thread]
List: trustedbsd-audit
Subject: Re: execve of SUID programs
From: Stacey Son <sson () FreeBSD ! org>
Date: 2008-10-30 17:32:30
Message-ID: 4909EFAE.2070309 () freebsd ! org
[Download RAW message or body]
On 10/30/08 12:13 PM, Robert Watson wrote:
> On Wed, 22 Oct 2008, Todd Heberlein wrote:
>
>> Below is an email I sent to Apple's Darwin mailing list. I thought I
>> would send it here in case this is actually a correct behavior as
>> specified by BSM. Any thoughts would be helpful.
>
> I would definitely consider this undesirable behavior for all the
> obvious reasons :-). The FreeBSD implementation does not do this, as
> far as I know.
This is a very interesting bug since I believe it also was in the
original panther version of the audit code. If I had the time I would
be tempted to pull out my old panther install CD to verify.
For setuid processes the kernel attempts to ensure that stdin, stdout,
and stderr are already allocated. It does this by opening "/dev/null"
for these. (FYI, the whole idea for this seems to based on the
following the old OpenBSD patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.3/common/fdalloc.patch)
This over-writes the kernel audit record of the saved path of the
program with "/dev/null". The fix is to not let the saved path in the
kernel audit record to be overwritten. I submitted a patch to fix this.
Thanks,
-stacey.
_______________________________________________
trustedbsd-audit@FreeBSD.org mailing list
http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit
To unsubscribe, send any mail to "trustedbsd-audit-unsubscribe@FreeBSD.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic