NetBSD Problem Report #40002
From www@NetBSD.org Sat Nov 22 08:34:14 2008
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 40C5763BD2D
for <gnats-bugs@gnats.netbsd.org>; Sat, 22 Nov 2008 08:34:14 +0000 (UTC)
Message-Id: <20081122083413.E947363B11D@narn.NetBSD.org>
Date: Sat, 22 Nov 2008 08:34:13 +0000 (UTC)
From: shinden@linux.pl
Reply-To: shinden@linux.pl
To: gnats-bugs@NetBSD.org
Subject: sockstat doesn't work for user with sysctl security.curtain=1
X-Send-Pr-Version: www-1.0
>Number: 40002
>Category: kern
>Synopsis: sockstat doesn't work for user with sysctl security.curtain=1
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Nov 22 08:35:00 +0000 2008
>Closed-Date: Sun Dec 14 23:21:10 +0000 2008
>Last-Modified: Sun Dec 14 23:21:10 +0000 2008
>Originator: Daniel Horecki
>Release: 5.0BETA, CURRENT
>Organization:
>Environment:
NetBSD tatooine.stars 5.99.02 NetBSD 5.99.02 (TATOOINE) #2: Tue Nov 18 22:36:45 CET 2008 sh@tatooine.stars:/home/sh/src/obj/sys/arch/i386/compile/TATOOINE i386
>Description:
If security.curtain is enabled, sockstat won't display sockets belonging only to that user, but only an error.
sh@tatooine:~/ > sudo sysctl -w security.curtain=1
security.curtain: 0 -> 1
sh@tatooine:~/ > sockstat
sockstat: sysctl: Operation not permitted
sh@tatooine:~/ > sudo sysctl -w security.curtain=0
security.curtain: 1 -> 0
sh@tatooine:~/ > sockstat
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
sh dbus-launc 96 3 stream - /tmp/.X11-unix/X0
sh dbus-launc 96 5 stream - /tmp/.X11-unix/X0
[...]
>How-To-Repeat:
sysctl -w security.curtain=1
as user:
sockstat
>Fix:
>Release-Note:
>Audit-Trail:
From: "Elad Efrat" <elad@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: re: kern/40002
Date: Fri, 28 Nov 2008 15:56:24 +0200
------=_Part_72918_27388076.1227880584108
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Seems like we're continuing the loop, but not resetting the error
value, so it "leaked" to userspace.
The attached patch should fix it, let me know.
Thanks,
-e.
------=_Part_72918_27388076.1227880584108
Content-Type: application/octet-stream; name=pr40002.diff
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fo2wdzvl0
Content-Disposition: attachment; filename=pr40002.diff
SW5kZXg6IGluaXRfc3lzY3RsLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL3Vzci9jdnMvc3JjL3N5
cy9rZXJuL2luaXRfc3lzY3RsLmMsdgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuMTUwCmRpZmYgLXUg
LXAgLXIxLjE1MCBpbml0X3N5c2N0bC5jCi0tLSBpbml0X3N5c2N0bC5jCTEyIE5vdiAyMDA4IDE0
OjMyOjM0IC0wMDAwCTEuMTUwCisrKyBpbml0X3N5c2N0bC5jCTI4IE5vdiAyMDA4IDA2OjA5OjAx
IC0wMDAwCkBAIC0yMDU4LDYgKzIwNTgsMTEgQEAgc3lzY3RsX2tlcm5fZmlsZTIoU1lTQ1RMRk5f
QVJHUykKIAkJCSAgICBOVUxMLCBOVUxMKTsKIAkJCW11dGV4X2V4aXQocC0+cF9sb2NrKTsKIAkJ
CWlmIChlcnJvciAhPSAwKSB7CisJCQkJLyoKKwkJCQkgKiBEb24ndCBsZWFrIGthdXRoIHJldHZh
bCBpZiB3ZSdyZSBzaWxlbnRseQorCQkJCSAqIHNraXBwaW5nIHRoaXMgZW50cnkuCisJCQkJICov
CisJCQkJZXJyb3IgPSAwOwogCQkJCWNvbnRpbnVlOwogCQkJfQogCg==
------=_Part_72918_27388076.1227880584108--
From: Elad Efrat <elad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/40002 CVS commit: src/sys/kern
Date: Fri, 28 Nov 2008 18:58:59 +0000 (UTC)
Module Name: src
Committed By: elad
Date: Fri Nov 28 18:58:59 UTC 2008
Modified Files:
src/sys/kern: init_sysctl.c
Log Message:
PR/40002: Daniel Horecki: sockstat doesn't work for user with sysctl
security.curtain=1
If the kauth call failed, we'd silently continue the loop, but the error
code would remain and eventually "leak" to userspace. Reset the error to
zero when continuing.
Tested by snj@ and myself. Okay snj@.
To generate a diff of this commit:
cvs rdiff -r1.150 -r1.151 src/sys/kern/init_sysctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/40002 CVS commit: [netbsd-5] src/sys/kern
Date: Sat, 29 Nov 2008 20:51:06 +0000 (UTC)
Module Name: src
Committed By: bouyer
Date: Sat Nov 29 20:51:06 UTC 2008
Modified Files:
src/sys/kern [netbsd-5]: init_sysctl.c
Log Message:
Pull up following revision(s) (requested by elad in ticket #140):
sys/kern/init_sysctl.c: revision 1.151
PR/40002: Daniel Horecki: sockstat doesn't work for user with sysctl
security.curtain=1
If the kauth call failed, we'd silently continue the loop, but the error
code would remain and eventually "leak" to userspace. Reset the error to
zero when continuing.
Tested by snj@ and myself. Okay snj@.
To generate a diff of this commit:
cvs rdiff -r1.149 -r1.149.4.1 src/sys/kern/init_sysctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Daniel Horecki <shinden@linux.pl>
To: gnats-bugs@NetBSD.org
Cc: elad@netbsd.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: kern/40002
Date: Sun, 14 Dec 2008 10:13:29 +0100
Je Fri, 28 Nov 2008 14:00:07 +0000 (UTC) "Elad Efrat" <elad@netbsd.org>
scribis:
> The following reply was made to PR kern/40002; it has been noted by
> GNATS.
>
> From: "Elad Efrat" <elad@netbsd.org>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: re: kern/40002
> Date: Fri, 28 Nov 2008 15:56:24 +0200
>
> ------=_Part_72918_27388076.1227880584108
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> Seems like we're continuing the loop, but not resetting the error
> value, so it "leaked" to userspace.
>
> The attached patch should fix it, let me know.
>
> Thanks,
>
It works now with current and 5.0. Thanks!
Daniel
--
Daniel Horecki
http://morr.pl http://linux.pl http://netbsd.pl
HAIL ERIS!
State-Changed-From-To: open->closed
State-Changed-By: elad@NetBSD.org
State-Changed-When: Sun, 14 Dec 2008 23:21:10 +0000
State-Changed-Why:
Fixed and pulled up to netbsd-5. Thanks for the report!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.