> The question came up whether execve of a suid binary while being ptraced
> would fail or ignore the suid part. The answer today seems to be the
> latter:
>
> E.g. (in 2.6.11) security/dummy.c:
>
> static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int
> unsafe)
> {
> if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) {
> if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) &&
> !capable(CAP_SETUID)) {
> bprm->e_uid = current->uid;
> bprm->e_gid = current->gid;
> }
> }
> }
>
> and fs/exec.c:
>
> void compute_creds(struct linux_binprm *bprm) {
> int unsafe;
>
> unsafe = unsafe_exec(current);
> security_bprm_apply_creds(bprm, unsafe);
> }
>
> static inline int unsafe_exec(struct task_struct *p) {
> int unsafe = 0;
> if (p->ptrace & PT_PTRACED) {
> if (p->ptrace & PT_PTRACE_CAP)
> unsafe |= LSM_UNSAFE_PTRACE_CAP;
> else
> unsafe |= LSM_UNSAFE_PTRACE;
> }
> return unsafe;
> }
>
> That is: if the process that calls execve() is being traced,
> the LSM_UNSAFE_PTRACE bit is et in unsafe and security_bprm_apply_creds()
> will make sure the suid/sgid bits are ignored.
>
> ---
>
> In my man page I do not read anything like that. It says
>
> EPERM The process is being traced, the user is not the superuser and
> the file has an SUID or SGID bit set.
> and
>
> If the current program is being ptraced, a SIGTRAP is sent to it after
> a successful execve().
>
> If the set-uid bit is set on the program file pointed to by filename
> the effective user ID of the calling process is changed to that of the
> owner of the program file.
>
> So, maybe this sentence should be amended to read
>
> If the set-uid bit is set on the program file pointed to by filename
> and the current process is not being ptraced, the effective user ID
> of the calling process is changed to ...
I changed your "current" to "calling" (to be consistent with the
rest of the page), but otherwise applied as you suggest.
The revision will appear in man-pages-2.03, which I can release
any time now. Are you avialable to do an upload tomorrow?
Added text on permissions required to send signal to owner.
====
Hello Johannes,
> Betreff: Inaccuracy of fcntl man page
> Datum: Mon, 2 May 2005 20:07:12 +0200
Thanks for yor note.
Sorry for the delay in getting back to you. I needed to find time
to set aside to look at the details. Now I've finally got there.
> I have attached a simple program
Thanks -- a little program is always helpful.
> that uses the fcntl system call in order
> to kill an arbitrary process of the same user.
> According to the fcntl man page, fcntl(fd,F_SETOWN,pid) returns zero if
> it has success.
Yes.
> If you strace the program while killing for exampe man running in another
> terminal, you will see that man is killed, but fcntl(fd,F_SETOWN,pid)
> will return EPERM,
I confirm that I see this problem in 2.4, with both Unix domain
and Internet domain sockets.
> where you can only find a very confusing explanation
> in the fcntl man page.
I'm not sure what explanation you mean here. As far as I can
tell, the manual page just doesn't cover this point.
> I have looked into the kernel source of 2.4.30 and found out, that
> net/core/socket::sock_no_fcntl is the culprit if you use fcntl on Unix
> sockets.
Yes, looks that way to me, as well, And the 2.2 code looks
similar.
> If pid is not your own pid or not your own process group,
> the system call will return EPERM but will also set the pid
> as you wanted to.
Yes.
> In the 2.6 kernel line, fcntl will react according the specification in
> the manual page.
Yes.
> If you also think, that one should clarify the return specification of
> fcntl(fd,F_SETOWN,pid) or 2.4.x kernels, please tell me and I will
> provide you with a patch for the manual page.
In fact I've written some new text under BUGS, which describes
the problem:
In Linux 2.4 and earlier, there is bug that can occur when an
unprivileged process uses F_SETOWN to specify the owner of a
socket file descriptor as a process (group) other than the
caller. In this case, fcntl() can return -1 with errno set to
EPERM, even when the owner process (group) is one that the
caller has permission to send signals to. Despite this error
return, the file descriptor owner is set, and signals will be
sent to the owner.
Does that seem okay to you?
> Furthermore, it would be interseting to write there, what permissions
> one need in order to send signals to processes via fcntl
Good idea. I added the following new text:
Sending a signal to the owner process (group) specified by
F_SETOWN is subject to the same permissions checks as are
described for kill(2), where the sending process is the one that
employs F_SETOWN (but see BUGS below).
====
#define _GNU_SOURCE /* needed to get the defines */
#include <fcntl.h> /* in glibc 2.2 this has the needed
values defined */
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
/**
* Funnykill kills a program with fcntl
**/
int
main (int argc, char **argv)
{
if (argc != 2)
{
fprintf (stderr, "Usage: funnykill <pid>\n");
return 1;
}
int sockets[2];
socketpair (AF_UNIX, SOCK_STREAM, 0, sockets);
if (fcntl (sockets[0], F_SETFL, O_ASYNC | O_NONBLOCK) == -1)
errMsg("fcntl-F_SETFL");
if (fcntl (sockets[0], F_SETOWN, atoi (argv[1])) == -1)
errMsg("fcntl-F_SETOWN");
// fcntl (sockets[0], F_SETOWN, getpid());
if (fcntl (sockets[0], F_SETSIG, SIGKILL) == -1)
errMsg("fcntl-_FSETSIG");
write (sockets[1], "good bye", 9);
}
.\" For Unix domain sockets and regular files, EPERM is only returned in
.\" Linux 2.2 and earlier; in Linux 2.4 and later, unprivileged can
.\" use mknod() to make these files.
Removed discussion of `[[:<:]]' and `[[:>:]]' since they do
not seem to be in the glibc implementation.
As per
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295666
> The regex.7.gz mentions that [[:>:]] and [[:<:]] are available to designate word boundaries.
> However, neither grep nor sed, which are build on the standard libc regcomp do recognise this syntax.
> Moreover, the small program here
>
> #include <regex.h>
> #include <sys/types.h>
> #include <iostream>
>
> using namespace std;
>
> int main()
> {
> regex_t RE;
> int err_code = regcomp(&RE, "[[:<:]]",
> REG_EXTENDED);
> char Buffer[100];
> if(err_code) {
> regerror(err_code, &RE, Buffer, 100);
> cerr << "Error : " << Buffer << endl;
> }
> }
>
>
> produces the following error message:
>
> Error : Invalid character class name
> I've noticed that man pages
> console_ioctl.4
> console.4
> mouse.4
> tty.4
> vcs.4
> refer to ttys (4), which should in fact be ttyS (4).
Hello Pavel,
The man command on Linux is actually case insensitive with respect
to page names, so "man ttys" works! Nevertheless, I agree with
you, and I've changed the pages as you suggest.
From: Jamie Lokier <jamie@shareable.org>
To: mtk-manpages@gmx.net
Subject: Update to fcntl(2) man page
Hi Michael,
I have a correction to the fcntl(2) man page.
Under the section for F_SETOWN, which describes how to set the
recipient process or group for SIGIO signals, see this paragraph:
The process or process group to receive the signal can be
selected by using the F_SETOWN command to the fcntl function.
If the file descriptor is a socket, this also selects the recip-
ient of SIGURG signals that are delivered when out-of-band data
arrives on that socket. (SIGURG is sent in any situation where
select(2) would report the socket as having an "exceptional con-
dition".) If the file descriptor corresponds to a terminal
device, then SIGIO signals are sent to the foreground process
group of the terminal.
I would like to add an additional paragraph:
The value given to F_SETOWN has a slightly different meaning
when F_SETSIG is used in a multi-threaded process.
If a non-zero value is given to F_SETSIG, then a positive
value given to F_SETOWN identifies a specific thread within a
process, instead of a whole process. The value is a thread id
not a process id, so you may need to pass the result of
gettid() instead of getpid() to get sensible results when
F_SETSIG is used. (Thread ids are different from process ids,
although they have the same value for some threads depending
on details of the threading library used).
Also, this is the first paragraph of the F_SETSIG section:
Sets the signal sent when input or output becomes possible. A
value of zero means to send the default SIGIO signal. Any other
value (including SIGIO) is the signal to send instead, and in
this case additional info is available to the signal handler if
installed with SA_SIGINFO.
I'd like to append another paragraph right after that one:
Additionally, passing a non-zero value to F_SETSIG changes the
signal recipient from a whole process to a specific thread
within a process. The section on F_SETOWN gives more details.
Date: Thu, 7 Apr 2005 17:58:59 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Michael Kerrisk <mtk-manpages@gmx.net>
Subject: Re: Update to fcntl(2) man page
[[...]]
> I've been trying to follow the kernel source code to verify
> the details you describe above. The relevant place is the
> 'switch' in fs/fcntl.c::send_sigio_to_task() right?
Yes.
> Also, for NPTL, perhaps one needs to mention that for the main
> thread, gettid() == getpid(), which allows the traditional
> use of F_SETSIG / F_SETOWN in programs consisting of a single
> thread -- right?
Yes, that makes sense. It's also fine for the "main thread" with
NPTL, so programs which spawn threads can still use F_SETOWN/F_SETSIG
in the main thread using getpid().
Date: Tue, 12 Apr 2005 15:25:49 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Michael Kerrisk <mtk-manpages@gmx.net>
Subject: Re: Update to fcntl(2) man page
Michael Kerrisk wrote:
> F_SETOWN
> Set the process ID or process group ID that will
> receive SIGIO and SIGURG signals for events on
> file descriptor fd. A process ID is specified as
> a positive value; a process group ID is specified
> as a negative value.
>
> If you set the O_ASYNC status flag on a file
> descriptor (either by providing this flag with the
> open(2) call, or by using the F_SETFL command of
> fcntl), a SIGIO signal is sent whenever input or
> output becomes possible on that file descriptor.
> F_SETSIG can be used to obtain delivery of a sig‐
> nal other than SIGIO.
>
> If the file descriptor fd refers to a socket,
> F_SETOWN also selects the recipient of SIGURG sig‐
> nals that are delivered when out-of-band data
> arrives on that socket. (SIGURG is sent in any
> situation where select(2) would report the socket
> as having an "exceptional condition".)
>
> If a non-zero value is given to F_SETSIG in a
> multi-threaded process, then a positive value
> value given to F_SETOWN has a different meaning:
> instead of being a process ID identifying a whole
> process, it is a thread ID identifying a specific
> thread within a process. Consequently, it may be
> necessary to pass F_SETOWN the result of gettid()
> instead of getpid() to get sensible results when
> F_SETSIG is used. (In current Linux threading
> implementations, a main thread's thread ID is the
> same as its process ID. This means that a single-
> threaded program can equally use gettid() or get‐
> pid() in this scenario.) Note, however, that the
> statements in this paragraph do not apply to the
> SIGURG signal generated for out-of-band data on a
> socket: this signal is always sent to either a
> process or a process group, depending on the value
> given to F_SETOWN.
>
> And the first part of the description of F_SETSIG now reads:
>
> F_SETSIG
> Sets the signal sent when input or output becomes
> possible. A value of zero means to send the
> default SIGIO signal. Any other value (including
> SIGIO) is the signal to send instead, and in this
> case additional info is available to the signal
> handler if installed with SA_SIGINFO.
>
> Additionally, passing a non-zero value to F_SETSIG
> changes the signal recipient from a whole process
> to a specific thread within a process. See the
> desciption of F_SETOWN for more details.
>
> Does the above seem okay to you?
It looks good, but:
1. An omission: It mentions that SIGURG is always sent to the whole
process. SIGIO is also sent to the whole process, instead of
queueing a thread-specific signal, when the signal queue is full.
Programs that mustn't miss readiness events need to handle it.
2. The description could be confusing to LinuxThreads users, because
all the signals are thread-specific in LinuxThreads.
Date: Tue, 12 Apr 2005 16:53:19 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Michael Kerrisk <mtk-manpages@gmx.net>
Subject: Re: Update to fcntl(2) man page
Michael Kerrisk wrote:
> > 1. An omission: It mentions that SIGURG is always sent to the whole
> > process. SIGIO is also sent to the whole process, instead of
> > queueing a thread-specific signal, when the signal queue is full.
> > Programs that mustn't miss readiness events need to handle it.
>
> Sorry -- can you point me to the relevant code for the
> above point please.
In 2.6:
switch (fown->signum) {
siginfo_t si;
default:
/* Queue a rt signal with the appropriate fd as its
value. We use SI_SIGIO as the source, not
SI_KERNEL, since kernel signals always get
delivered even if we can't queue. Failure to
queue in this case _should_ be reported; we fall
back to SIGIO in that case. --sct */
si.si_signo = fown->signum;
si.si_errno = 0;
si.si_code = reason;
/* Make sure we are called with one of the POLL_*
reasons, otherwise we could leak kernel stack into
userspace. */
if ((reason & __SI_MASK) != __SI_POLL)
BUG();
if (reason - POLL_IN >= NSIGPOLL)
si.si_band = ~0L;
else
si.si_band = band_table[reason - POLL_IN];
si.si_fd = fd;
if (!send_sig_info(fown->signum, &si, p))
break;
/* fall-through: fall back on the old plain SIGIO signal */
case 0:
send_group_sig_info(SIGIO, SEND_SIG_PRIV, p);
2.4 is exactly the same, except:
/* fall-through: fall back on the old plain SIGIO signal */
case 0:
send_sig(SIGIO, p, 1);
The fall-through happens when send_sig_info() fails, which happens
when the real-time signal queue is full.
Programs using a queued signal to track file readiness efficiently (as
an alternative to select/poll), must listen for SIGIO in addition to
the real-time signal, as otherwise they will miss notifications when
the queue is full (which happens often on a busy server).
Multi-threaded programs using NPTL must be aware this SIGIO is
process-wide - so receiving it on one thread must cause all threads to
assume a queued signal may be lost. Programs using LinuxThreads do
not have to assume this (but it's safe if they do).
Date: Wed, 13 Apr 2005 17:25:44 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Michael Kerrisk <mtk-manpages@gmx.net>
Subject: Re: Update to fcntl(2) man page
Michael Kerrisk wrote:
> I added a few more sentences to the end of that paragraph
> on F_SETOWN:
>
> If a non-zero value is given to F_SETSIG in a multi-threaded
> process running with a threading library that supports thread
> groups (e.g., NPTL), then a positive value value given to
> F_SETOWN has a different meaning: instead of being a process ID
> identifying a whole process, it is a thread ID identifying a
> specific thread within a process. Consequently, it may be nec-
> essary to pass F_SETOWN the result of gettid() instead of get
> pid() to get sensible results when F_SETSIG is used. (In cur-
> rent Linux threading implementations, a main thread's thread ID
> is the same as its process ID. This means that a single-
> threaded program can equally use gettid() or getpid() in this
> scenario.) Note, however, that the statements in this paragraph
> do not apply to the SIGURG signal generated for out-of-band data
> on a socket: this signal is always sent to either a process or a
> process group, depending on the value given to F_SETOWN. Note
> also that Linux imposes a limit on the number of real-time sig-
> nals that may be queued to a process (see getrlimit(2) and sig-
> nal(7)) and if this limit is reached, then the kernel reverts to
> delivering SIGIO, and this signal is delivered to the entire
> process rather than to a specifc thread.
>
> Look oay now?
Looks ood.
It will take a minor genius to translate that to working
multi-threaded RT-SIGIO code without a tutorial -- and in fact I
haven't heard of any program or library which does it (though I'm
trying to write one) -- but technically it seems to include everything.
Michael Kerrisk