From 89ab930718c4ea4965014b01ae4d68a350ec1412 Mon Sep 17 00:00:00 2001 From: Jacques Vidrine Date: Tue, 30 Jul 2002 15:38:29 +0000 Subject: [PATCH] For processes which are set-user-ID or set-group-ID, the kernel performs a few special actions for safety. One of these is to make sure that file descriptors 0..2 are in use, by opening /dev/null for those that are not already open. Another is to close any file descriptors 0..2 that reference procfs. However, these checks were made out of order, so that it was still possible for a set-user-ID or set-group-ID process to be started with some of the file descriptors 0..2 unused. Submitted by: Georgi Guninski --- sys/kern/kern_exec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index df6bf3af8da..14f5badfb11 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -403,6 +403,8 @@ interpret: mtx_unlock(&ktrace_mtx); } #endif + /* Close any file descriptors 0..2 that reference procfs */ + setugidsafety(td); /* Make sure file descriptors 0..2 are in use. */ error = fdcheckstd(td); if (error != 0) @@ -415,7 +417,6 @@ interpret: change_euid(newcred, euip); if (attr.va_mode & VSGID) change_egid(newcred, attr.va_gid); - setugidsafety(td); /* * Implement correct POSIX saved-id behavior. */