summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2003-09-14 07:22:38 +0000
committerrwatson <rwatson@FreeBSD.org>2003-09-14 07:22:38 +0000
commit50888524cab7543731fcbf46443bd1644d900523 (patch)
treeb84ccd348e68178b36e15917425a1f3ca48f1a75 /sys
parent2a498c508ca123eea4d3f81cf8dab287ec603022 (diff)
downloadFreeBSD-src-50888524cab7543731fcbf46443bd1644d900523.zip
FreeBSD-src-50888524cab7543731fcbf46443bd1644d900523.tar.gz
Add a new sysctl, security.bsd.conservative_signals, to disable
special signal-delivery protections for setugid processes. In the event that a system is relying on "unusual" signal delivery to processes that change their credentials, this can be used to work around application problems. Also, add SIGALRM to the set of signals permitted to be delivered to setugid processes by unprivileged subjects. Reported by: Joe Greco <jgreco@ns.sol.net>
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/kern_prot.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 47f2321..601b98a 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1367,6 +1367,20 @@ p_cansee(struct thread *td, struct proc *p)
return (cr_cansee(td->td_ucred, p->p_ucred));
}
+/*
+ * 'conservative_signals' prevents the delivery of a broad class of
+ * signals by unprivileged processes to processes that have changed their
+ * credentials since the last invocation of execve(). This can prevent
+ * the leakage of cached information or retained privileges as a result
+ * of a common class of signal-related vulnerabilities. However, this
+ * may interfere with some applications that expect to be able to
+ * deliver these signals to peer processes after having given up
+ * privilege.
+ */
+static int conservative_signals = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, conservative_signals, CTLFLAG_RW,
+ &conservative_signals, 0, "Unprivileged processes prevented from "
+ "sending certain signals to processes whose credentials have changed");
/*-
* Determine whether cred may deliver the specified signal to proc.
* Returns: 0 for permitted, an errno value otherwise.
@@ -1399,12 +1413,13 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
* bit on the target process. If the bit is set, then additional
* restrictions are placed on the set of available signals.
*/
- if (proc->p_flag & P_SUGID) {
+ if (conservative_signals && (proc->p_flag & P_SUGID)) {
switch (signum) {
case 0:
case SIGKILL:
case SIGINT:
case SIGTERM:
+ case SIGALRM:
case SIGSTOP:
case SIGTTIN:
case SIGTTOU:
OpenPOWER on IntegriCloud