From patchwork Wed Aug 19 12:41:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Arsen_Arsenovi=C4=87?= X-Patchwork-Id: 1347773 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=libc-alpha-bounces@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=sourceware.org Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=pQktMj8U; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BWnTx25rNz9sPB for ; Wed, 19 Aug 2020 22:41:57 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 030CC386F44F; Wed, 19 Aug 2020 12:41:54 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 030CC386F44F DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1597840914; bh=InShBhIKoa6P6sw/nzu/4j87uuE//8II/V/VMu4gSH8=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=pQktMj8UmyHoT138v9D4+XpeAu2NT2O8Hs8OqI8tl2QTY0x/8Th4kAAo2mYjmfw2P 3sIVQWCdkU/69Ky/DkeciXllAdkCN3A5j373mP25lc6mp0b3AEQ+g8yYXh6DOuP8kd DKdQc/hcPAKU6jgewUdtGofjYw4/fHF97wjsGr6g= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050::465:102]) by sourceware.org (Postfix) with ESMTPS id 830FF3857C54 for ; Wed, 19 Aug 2020 12:41:51 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 830FF3857C54 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4BWnTn53yjzKmgv for ; Wed, 19 Aug 2020 14:41:49 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030) with ESMTP id s5LKuSXAsOYA for ; Wed, 19 Aug 2020 14:41:46 +0200 (CEST) To: libc-alpha@sourceware.org Subject: [PATCH v2] Ensure standard file descriptors are open on start Date: Wed, 19 Aug 2020 14:41:25 +0200 Message-Id: <20200819124124.17481-1-arsen@aarsen.me> MIME-Version: 1.0 X-MBO-SPAM-Probability: * X-Rspamd-Score: 0.80 / 15.00 / 15.00 X-Rspamd-Queue-Id: BA8F21798 X-Rspamd-UID: 2439b6 X-Spam-Status: No, score=-11.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_INFOUSMEBIZ, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: =?utf-8?q?Arsen_Arsenovi=C4=87_via_Libc-alpha?= From: =?utf-8?q?Arsen_Arsenovi=C4=87?= Reply-To: =?utf-8?q?Arsen_Arsenovi=C4=87?= Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" ISO C requires that standard input, output and error are always open on program startup. --- I've removed the changes to the access mode used when opening the three standard file descriptors, to address Paul's concerns. csu/check_fds.c | 4 ++-- csu/libc-start.c | 9 +++------ elf/dl-sysdep.c | 7 ++----- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/csu/check_fds.c b/csu/check_fds.c index 30634b81..d2bca0a3 100644 --- a/csu/check_fds.c +++ b/csu/check_fds.c @@ -58,8 +58,8 @@ check_one_fd (int fd, int mode) } /* Something is wrong with this descriptor, it's probably not - opened. Open /dev/null so that the SUID program we are - about to start does not accidentally use this descriptor. */ + opened. Open /dev/null so that the program we are about to + start does not accidentally use this descriptor. */ int nullfd = __open_nocancel (name, mode, 0); /* We are very paranoid here. With all means we try to ensure diff --git a/csu/libc-start.c b/csu/libc-start.c index 4005caf8..f99efda0 100644 --- a/csu/libc-start.c +++ b/csu/libc-start.c @@ -253,12 +253,9 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), if (fini) __cxa_atexit ((void (*) (void *)) fini, NULL, NULL); - /* Some security at this point. Prevent starting a SUID binary where - the standard file descriptors are not opened. We have to do this - only for statically linked applications since otherwise the dynamic - loader did the work already. */ - if (__builtin_expect (__libc_enable_secure, 0)) - __libc_check_standard_fds (); + /* Ensure the standard streams are opened, as required by POSIX and C. For + dynamic programs this is already handled in the dynamic loader. */ + __libc_check_standard_fds (); #endif /* Call the initializer of the program, if any. */ diff --git a/elf/dl-sysdep.c b/elf/dl-sysdep.c index 85457082..83070413 100644 --- a/elf/dl-sysdep.c +++ b/elf/dl-sysdep.c @@ -243,11 +243,8 @@ _dl_sysdep_start (void **start_argptr, __sbrk (GLRO(dl_pagesize) - ((_end - (char *) 0) & (GLRO(dl_pagesize) - 1))); - /* If this is a SUID program we make sure that FDs 0, 1, and 2 are - allocated. If necessary we are doing it ourself. If it is not - possible we stop the program. */ - if (__builtin_expect (__libc_enable_secure, 0)) - __libc_check_standard_fds (); + /* Ensure all the standard streams are open (C and POSIX require this) */ + __libc_check_standard_fds (); (*dl_main) (phdr, phnum, &user_entry, GLRO(dl_auxv)); return user_entry;