[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: new kde 3.1 packages from Ralph Nolden and file handles



Here is a demonstration of a problem that was in kde 3.0.4 as well.  I have 
run the command "sleep 100" twice, PID 6482 is from Konsole, PID 6493 is from 
an Xterm launched by selecting the "Run Command" menu option and typing 
"xterm".  I used "sleep" to demonstrate this problem as it's a program that 
hangs around, it doesn't do much else to distract us from the problem at 
hand, and it's something that everyone has to reproduce the problem.

Notice that in the copy of sleep run from konsole (6482) the file handles are 
what you expect, a few shared object, a controlling tty, a home directory and 
a root directory.

Notice that in the copy of sleep run from xterm (6493) there are also open 
file handles for two named pipes and the ~/Desktop directory.  I believe that 
this is a minor security risk.  If I run an xterm and then use it to run a 
SUID wrapper program that runs an insecure or hostile program then if that 
wrapper program does not close all file handles (su does but other programs 
may not) then the hostile program may get access to ~/Desktop in my home 
directory!

I discovered this bug through my SE Linux logs.  Some programs were logged as 
inheriting file handles that they were not allowed to access when I used an 
xterm.

rjc@lyta:~$ lsof | grep sleep
sleep    6482  rjc  cwd    DIR        3,7    6640      2015 /home/rjc
sleep    6482  rjc  rtd    DIR        3,2     584         2 /
sleep    6482  rjc  txt    REG        3,2   11336     49958 /bin/sleep
sleep    6482  rjc  mem    REG        3,2   82348      7970 /lib/ld-2.3.1.so
sleep    6482  rjc  mem    REG        3,2  130964      8840 /lib/libm-2.3.1.so
sleep    6482  rjc  mem    REG        3,2   26592     26552 
/lib/librt-2.3.1.so
sleep    6482  rjc  mem    REG        3,2 1102952      8292 /lib/libc-2.3.1.so
sleep    6482  rjc  mem    REG        3,2   81959     26556 
/lib/libpthread-0.10.so
sleep    6482  rjc    0u   CHR      136,2              1716 /dev/pts/2
sleep    6482  rjc    1u   CHR      136,2              1716 /dev/pts/2
sleep    6482  rjc    2u   CHR      136,2              1716 /dev/pts/2
sleep    6493  rjc  cwd    DIR        3,7    6640      2015 /home/rjc
sleep    6493  rjc  rtd    DIR        3,2     584         2 /
sleep    6493  rjc  txt    REG        3,2   11336     49958 /bin/sleep
sleep    6493  rjc  mem    REG        3,2   82348      7970 /lib/ld-2.3.1.so
sleep    6493  rjc  mem    REG        3,2  130964      8840 /lib/libm-2.3.1.so
sleep    6493  rjc  mem    REG        3,2   26592     26552 
/lib/librt-2.3.1.so
sleep    6493  rjc  mem    REG        3,2 1102952      8292 /lib/libc-2.3.1.so
sleep    6493  rjc  mem    REG        3,2   81959     26556 
/lib/libpthread-0.10.so
sleep    6493  rjc    0u   CHR      136,3              1734 /dev/pts/3
sleep    6493  rjc    1u   CHR      136,3              1734 /dev/pts/3
sleep    6493  rjc    2u   CHR      136,3              1734 /dev/pts/3
sleep    6493  rjc    6r  FIFO        0,5           1065293 pipe
sleep    6493  rjc    7w  FIFO        0,5           1065293 pipe
sleep    6493  rjc   13r   DIR        3,7     688      4285 /home/rjc/Desktop
rjc@lyta:~$


-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



Reply to: