NetBSD Problem Report #54971
From www@netbsd.org Sun Feb 16 17:02:55 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 22D661A9213
for <gnats-bugs@gnats.NetBSD.org>; Sun, 16 Feb 2020 17:02:55 +0000 (UTC)
Message-Id: <20200216170254.100D41A9259@mollari.NetBSD.org>
Date: Sun, 16 Feb 2020 17:02:54 +0000 (UTC)
From: scole_mail@gmx.com
Reply-To: scole_mail@gmx.com
To: gnats-bugs@NetBSD.org
Subject: sockstat command output incorrect for normal user
X-Send-Pr-Version: www-1.0
>Number: 54971
>Category: bin
>Synopsis: sockstat command output incorrect for normal user
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 16 17:05:00 +0000 2020
>Last-Modified: Wed Aug 26 10:45:01 +0000 2020
>Originator: scole_mail
>Release: NetBSD 9.0
>Organization:
none
>Environment:
NetBSD dstar.dstar.net 9.0 NetBSD 9.0 (GENERIC) #0: Sat Feb 15 16:24:46 PST 2020 scole@dstar.dstar.net:/home/scole/nbsd/cvs/9_0/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
I just installed 9.0 and noticed that the sockstat command doesn't list
the PROTO, LOCAL ADDRESS, and FOREIGN ADDRESS columns anymore for
non-root users:
scole@dstar:~> sockstat
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
scole asclock-cl 72 3 dgram - /var/run/log
scole xterm 73 3 dgram - /var/run/log
root rpc.lockd 96 3 dgram - /var/run/log
root rpc.lockd 96 4 dgram - /var/run/log
root rpc.lockd 96 5 dgram - /var/run/log
root rpc.lockd 96 6 dgram - /var/run/log
root rpc.lockd 96 8 dgram - /var/run/log
Is there another command that can be used to list the user's own open
sockets?
I see "netstat -a" is close to what I'm looking for, just to see what
socket descriptor is being used for ssh-agent:
scole@dstar:~> netstat -a | grep ssh
tcp 0 0 *.ssh *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
ffff92f5866e7e40 stream 0 0 ffff92f55c154820 0 00 /tmp/ssh-FV4dngWYCsl0/agent.801
but there is no user associated with the open socket.
Also, it is also confusing that sockstat is displaying bogus info
scole@dstar:~> sockstat |grep ssh-a
scole ssh-agent 397 3 dgram - /var/run/log
for the last 3 columns. It seems like it should print out '-' or
nothing if it can't access the data to display accurately.
Thanks
>How-To-Repeat:
Run sockstat command on 9.0 machine as a normal user
>Fix:
>Audit-Trail:
From: scole_mail <scole_mail@gmx.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/54971: sockstat command output incorrect for normal user
Date: Sun, 16 Feb 2020 10:38:55 -0800
I found that 'fstat -u $LOGNAME' will do more or less the same and what
I need.
I still believe non-root sockstat should print nothing, '-', or '?' if
it doesn't have permission to read and display
PROTO/LOCAL ADDRESS/FOREIGN ADDRESS
columns.
Thanks
From: scole_mail <scole_mail@gmx.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/54971: sockstat command output incorrect for normal user
Date: Mon, 24 Aug 2020 19:04:43 -0700
I've been looking into this a little and I believe it is permission
issue that changed between 8.0 and 9.0. I see a sysctl variable
kern.expose_address was added
https://nxr.netbsd.org/xref/src/sys/kern/kern_descrip.c#2342
to allow fstat/pstat -f/netstat to read kernel-protected addresses as a
normal user when enabled.
But sockstat still can't read those protected fields even with
kern.expose_address=3D1. I think there are at least 2 reasons.
1) Unlike the other *stat commands (fstat/netstat/pstat/...), sockstat
is not set-group-id-on-execution.
2) src/usr.bin/sockstat/sockstat.c is only using sysctls
(prog_sysctlnametomib & prog_sysctl) to populate its file structures,
and some fields (kinfo_file->ki_fdata) are unreadable, even with
kern.expose_address=3D1. For example, ki_fdata is always read as "0",
and since there is hash of sockets addresses used for displaying the
"PROTO LOCAL ADDRESS FOREIGN ADDRESS"
fields, it doesn't work correctly.
So I tried making sockstat match other permissions of
fstat/netstat/pstat:
-r-xr-sr-x 1 root kmem
That didn't work by itself, even when whole sockstat exe ran as
setegid(getegid()). But, if I do a call to kvm_open, don't even use the
descriptor, then close it (right after parsing input args):
// set-group-id-on-exec
kd =3D kvm_openfiles(NULL, NULL, NULL, O_RDONLY, buf);
if (kd =3D=3D NULL)
errx(1, "%s", buf);
kvm_close(kd);
// unset-group-id-on-exec
then the sysctl calls work correctly, and the sockstat program runs as
before
Is there "proper" way to give these sysctl's enough permissions to read
kernel addresses, or should sockstat really be using for kvm(3)?
Why does kvm_open/kvm_close/sysctl even work at all?
I know sysctl is only for live kernels, but I saw some of the other
*stat (pstat/fstat/...) use both sysctl and kvm, wouldn't it be easier
to maintain just to use only kvm?
This is was all tested on NetBSD 9.
From: scole_mail <scole_mail@gmx.com>
To: gnats-bugs@NetBSD.org
Cc: "Christos Zoulas" <christos@netbsd.org>
Subject: Re: bin/54971: sockstat command output incorrect for normal user
Date: Tue, 25 Aug 2020 08:08:25 -0700
Hi Christos,
Thank you for looking at this, I saw what you checked in. One other
question, should the Makefile have
USE_FORT?= yes # setgid
I saw the other *stat commands in usr.bin/ typically had it, but I
wasn't sure if it was necessary in this case.
Thanks!
From: Christos Zoulas <christos@zoulas.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
scole_mail@gmx.com
Subject: Re: bin/54971: sockstat command output incorrect for normal user
Date: Tue, 25 Aug 2020 12:38:38 -0400
--Apple-Mail=_26BE8B1A-1429-4B40-AC3F-7883C9C5F0AF
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
Well, since it is setgid, why not? Thanks for catching that.
christos
> On Aug 25, 2020, at 11:15 AM, scole_mail <scole_mail@gmx.com> wrote:
>
> The following reply was made to PR bin/54971; it has been noted by GNATS.
>
> From: scole_mail <scole_mail@gmx.com>
> To: gnats-bugs@NetBSD.org
> Cc: "Christos Zoulas" <christos@netbsd.org>
> Subject: Re: bin/54971: sockstat command output incorrect for normal user
> Date: Tue, 25 Aug 2020 08:08:25 -0700
>
> Hi Christos,
>
> Thank you for looking at this, I saw what you checked in. One other
> question, should the Makefile have
> USE_FORT?= yes # setgid
>
> I saw the other *stat commands in usr.bin/ typically had it, but I
> wasn't sure if it was necessary in this case.
>
> Thanks!
>
--Apple-Mail=_26BE8B1A-1429-4B40-AC3F-7883C9C5F0AF
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iF0EARECAB0WIQS+BJlbqPkO0MDBdsRxESqxbLM7OgUCX0U+jwAKCRBxESqxbLM7
Oma4AJ4vrGjji7wBxD4C2Wd5gpSqO1e/VQCgwgkvDu2BAcBW+ZAhLThIuRHp7zI=
=IoDv
-----END PGP SIGNATURE-----
--Apple-Mail=_26BE8B1A-1429-4B40-AC3F-7883C9C5F0AF--
From: scole_mail <scole_mail@gmx.com>
To: gnats-bugs@NetBSD.org
Cc: Christos Zoulas <christos@zoulas.com>
Subject: Re: bin/54971: sockstat command output incorrect for normal user
Date: Tue, 25 Aug 2020 14:03:48 -0700
One last item hopefully... I was looking over the *stat programs more
closely and they all seem to follow some variation of this paradigm with
setgid/setegid. I tested it and it worked fine.
If it looks correct, I can check it in or feel free if you'd like to.
Thanks very much
Summary of changes: (A/? =3D New, R/D =3D Removed, M =3D Modified)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
M sockstat.c
Apply patch with "cd .../src/usr.bin/sockstat ; patch -s -p0 < .../patchfi=
le"
Index: sockstat.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/usr.bin/sockstat/sockstat.c,v
retrieving revision 1.22
diff -b -u -r1.22 sockstat.c
=2D-- sockstat.c 25 Aug 2020 14:05:17 -0000 1.22
+++ sockstat.c 25 Aug 2020 20:47:50 -0000
@@ -121,6 +121,8 @@
int ch;
size_t i;
struct kinfo_proc2 p;
+ gid_t egid =3D getegid();
+ setegid(getgid());
pf_list =3D only =3D 0;
@@ -180,10 +182,13 @@
err(1, "init");
/* Not used, but we set the PK_KMEM flag like this */
+ setegid(egid);
int fd =3D open("/dev/mem", O_RDONLY);
if (fd =3D=3D -1)
err(EXIT_FAILURE, "Can't open `/dev/mem'");
close(fd);
+ setgid(getgid());
+
if ((portmap !=3D NULL) && (pf_list =3D=3D 0)) {
pf_list =3D PF_LIST_INET;
#ifdef INET6
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/54971: sockstat command output incorrect for normal user
Date: Wed, 26 Aug 2020 08:21:05 +0200
Please do NOT make sockstat setgid or anything, but fix the bugs in the
kernel part instead.
We have been trying to get rid of kvm and setgid programs, this would be
the wrong direction.
Martin
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.