From: "Skyler Ferrante (RIT Student)" <sjf5462@rit.edu>
To: Alejandro Colomar <alx@kernel.org>
Cc: Thorsten Glaser <tg@mirbsd.de>, Rich Felker <dalias@libc.org>,
musl@lists.openwall.com, NRK <nrk@disroot.org>,
Guillem Jover <guillem@hadrons.org>,
libc-alpha@sourceware.org, libbsd@lists.freedesktop.org,
"Serge E. Hallyn" <serge@hallyn.com>,
Iker Pedrosa <ipedrosa@redhat.com>,
Christian Brauner <christian@brauner.io>
Subject: Re: [musl] Re: Tweaking the program name for <err.h> functions
Date: Mon, 11 Mar 2024 10:46:45 -0400 [thread overview]
Message-ID: <CAEOG19qSWnH6WVuTCVZLfTr1HhZnu_W86r7B-64CJrRvhyh_zQ@mail.gmail.com> (raw)
In-Reply-To: <Ze5UdYsZ6H9i6lMd@debian>
Hi,
"Consider that a setuid program accidentally opens a privileged file in fd 2."
It seems like this is the main thing shadow-utils (and other projects)
should be concerned about. Every setuid/setgid program should check
for fd 0,1,2 being open at the start of execution, and either abort or
open new fds to /dev/null to prevent file descriptor omission attacks.
Any defenses used to prevent exploitation when a setuid/setgid program
does not do this, seems unlikely to succeed.
All an attacker would need would be an attacker defined string going
to stdout/stderr. Argv[0] is useful for this, but it is not the only
option. Usernames/group names/etc. are chosen by attackers. Preventing
these from being printed might increase security a bit, but they would
make error messages worse. That's just my two cents.
Skyler
On Sun, Mar 10, 2024 at 8:46 PM Alejandro Colomar <alx@kernel.org> wrote:
>
> Hi Thorsten,
>
> On Mon, Mar 11, 2024 at 12:19:27AM +0000, Thorsten Glaser wrote:
> > Rich Felker dixit:
> >
> > >the string literal, because the string literal appears in modular
> > >library code that gets called from multiple utilities, then printing
> > >an error message (and even worse, exiting, if you do that too), rather
> > >than returning meaningful error information up to the caller for it to
> > >handle/display, is just really sloppy, low-quality programming.
> >
> > Libraries totally should not call exit and thus not err/errx,
> > and warn/warnx is… also questionable at best.
> >
> > But modularised code that builds a shared object and a few
> > binaries using it? Why not.
> >
> > The thing I don’t get is why changing __progname is desired,
> > but I guess everyone has use cases for something.
>
> setuid programs. Consider that a setuid program accidentally opens a
> privileged file in fd 2. Now what happens if a random user can trigger
> that accident, and write arbitrary text to a privileged file, just by
> calling that setuid program with execlp("su", "inject this stuff", ...)?
>
> Bad stuff.
>
> Have a lovely night!
> Alex
>
> >
> > bye,
> > //mirabilos
> > --
> > (gnutls can also be used, but if you are compiling lynx for your own use,
> > there is no reason to consider using that package)
> > -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL
>
> --
> <https://www.alejandro-colomar.es/>
next prev parent reply other threads:[~2024-03-11 14:47 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 22:24 Tweaking the program name for <err.h> functions Alejandro Colomar
2024-03-08 0:30 ` Guillem Jover
2024-03-08 0:47 ` enh
2024-03-08 0:52 ` Alejandro Colomar
2024-03-09 15:02 ` [musl] " Rich Felker
2024-03-09 15:49 ` Alejandro Colomar
2024-03-09 18:35 ` Andreas Schwab
2024-03-09 18:46 ` Alejandro Colomar
2024-03-09 19:18 ` [musl] " Markus Wichmann
2024-03-09 19:25 ` Rich Felker
2024-03-09 21:44 ` Thorsten Glaser
2024-03-10 6:01 ` NRK
2024-03-10 13:17 ` Alejandro Colomar
2024-03-10 14:01 ` NRK
2024-03-10 19:39 ` Rich Felker
2024-03-10 22:25 ` Alejandro Colomar
2024-03-10 23:22 ` Thorsten Glaser
2024-03-10 23:44 ` Rich Felker
2024-03-11 0:19 ` Thorsten Glaser
2024-03-11 0:46 ` Alejandro Colomar
2024-03-11 14:46 ` Skyler Ferrante (RIT Student) [this message]
2024-03-11 15:09 ` Andreas Schwab
2024-03-11 15:30 ` Skyler Ferrante (RIT Student)
2024-03-11 18:23 ` Florian Weimer
2024-03-11 18:48 ` Skyler Ferrante (RIT Student)
2024-03-11 19:05 ` enh
2024-03-11 19:44 ` Rich Felker
2024-03-11 20:35 ` enh
2024-03-11 19:47 ` Rich Felker
2024-03-11 20:08 ` Skyler Ferrante (RIT Student)
2024-03-11 20:39 ` enh
2024-03-11 21:21 ` Laurent Bercot
2024-03-11 22:05 ` Thorsten Glaser
2024-03-12 0:18 ` Gabriel Ravier
2024-03-12 0:43 ` Rich Felker
2024-03-12 3:23 ` Gabriel Ravier
2024-03-12 14:44 ` Rich Felker
2024-03-12 13:54 ` Florian Weimer
2024-03-12 14:21 ` Zack Weinberg
2024-03-12 14:31 ` Florian Weimer
2024-03-12 14:42 ` Rich Felker
2024-03-12 19:25 ` Zack Weinberg
2024-03-12 21:19 ` Rich Felker
2024-03-13 8:28 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEOG19qSWnH6WVuTCVZLfTr1HhZnu_W86r7B-64CJrRvhyh_zQ@mail.gmail.com \
--to=sjf5462@rit.edu \
--cc=alx@kernel.org \
--cc=christian@brauner.io \
--cc=dalias@libc.org \
--cc=guillem@hadrons.org \
--cc=ipedrosa@redhat.com \
--cc=libbsd@lists.freedesktop.org \
--cc=libc-alpha@sourceware.org \
--cc=musl@lists.openwall.com \
--cc=nrk@disroot.org \
--cc=serge@hallyn.com \
--cc=tg@mirbsd.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).