From patchwork Tue Aug 18 17:50:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Arsen_Arsenovi=C4=87?= X-Patchwork-Id: 40280 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 3089C3851C0D; Tue, 18 Aug 2020 17:50:25 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3089C3851C0D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1597773025; bh=mYrQ0IDGRYn8dIHOyq9KnIH0ago3YJ4CI9TTxOQeg9o=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=EEHRbzhxqbumfzES2XLCxuzM6DZlAgYYIr0GYkzV2s++0yFSsehH5jxHJVJwaOXD1 b8jPGdDuCdLnrlfZuh5p6ZAUk5d5tIMrN/9VReI5AY5k25JmCt37CMTFi8c8uu06UT lEUijxB5IMef27I7gfREJWSmbhqAQaP11NeoikBc= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050::465:202]) by sourceware.org (Postfix) with ESMTPS id 3AFD53857C4D for ; Tue, 18 Aug 2020 17:50:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 3AFD53857C4D Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4BWJND6SP3zQjkp for ; Tue, 18 Aug 2020 19:50:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030) with ESMTP id sNTjeczRE7am for ; Tue, 18 Aug 2020 19:50:19 +0200 (CEST) To: libc-alpha@sourceware.org Subject: [PATCH] Ensure standard file descriptors are open on start Date: Tue, 18 Aug 2020 19:50:18 +0200 Message-Id: <20200818175018.27213-1-arsen@aarsen.me> MIME-Version: 1.0 X-MBO-SPAM-Probability: * X-Rspamd-Score: 0.61 / 15.00 / 15.00 X-Rspamd-Queue-Id: 7CD531790 X-Rspamd-UID: 40efc1 X-Spam-Status: No, score=-11.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_INFOUSMEBIZ, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: =?utf-8?q?Arsen_Arsenovi=C4=87_via_Libc-alpha?= From: =?utf-8?q?Arsen_Arsenovi=C4=87?= Reply-To: =?utf-8?q?Arsen_Arsenovi=C4=87?= Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" ISO C requires that standard input, output and error are always open on program startup. --- Prior to these changes, a program could be launched that has no standard input, output or error stream. This is in conflict with the C and POSIX standards, and causes some programs (such as autoconf configure scripts) to fail. This behavior can be easily replicated using a "wrapper" program such as: #include int main(int argc, char **argv) { close(0); execvp(argv[1], argv + 1); } Launching cat via ./close_stdin cat will, without these changes, result in an EBADF, but will silently exit (as it is reading /dev/null) with these changes. The latter behavior imitates what the C standard requires. csu/check_fds.c | 10 +++++----- csu/libc-start.c | 9 +++------ elf/dl-sysdep.c | 7 ++----- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/csu/check_fds.c b/csu/check_fds.c index 30634b81..f0f88268 100644 --- a/csu/check_fds.c +++ b/csu/check_fds.c @@ -58,8 +58,8 @@ check_one_fd (int fd, int mode) } /* Something is wrong with this descriptor, it's probably not - opened. Open /dev/null so that the SUID program we are - about to start does not accidentally use this descriptor. */ + opened. Open /dev/null so that the program we are about to + start does not accidentally use this descriptor. */ int nullfd = __open_nocancel (name, mode, 0); /* We are very paranoid here. With all means we try to ensure @@ -90,7 +90,7 @@ __libc_check_standard_fds (void) is really paranoid but some people actually are. If /dev/null should happen to be a symlink to somewhere else and not the device commonly known as "/dev/null" we bail out. */ - check_one_fd (STDIN_FILENO, O_WRONLY | O_NOFOLLOW); - check_one_fd (STDOUT_FILENO, O_RDONLY | O_NOFOLLOW); - check_one_fd (STDERR_FILENO, O_RDONLY | O_NOFOLLOW); + check_one_fd (STDIN_FILENO, O_RDONLY | O_NOFOLLOW); + check_one_fd (STDOUT_FILENO, O_WRONLY | O_NOFOLLOW); + check_one_fd (STDERR_FILENO, O_WRONLY | O_NOFOLLOW); } diff --git a/csu/libc-start.c b/csu/libc-start.c index 4005caf8..f99efda0 100644 --- a/csu/libc-start.c +++ b/csu/libc-start.c @@ -253,12 +253,9 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), if (fini) __cxa_atexit ((void (*) (void *)) fini, NULL, NULL); - /* Some security at this point. Prevent starting a SUID binary where - the standard file descriptors are not opened. We have to do this - only for statically linked applications since otherwise the dynamic - loader did the work already. */ - if (__builtin_expect (__libc_enable_secure, 0)) - __libc_check_standard_fds (); + /* Ensure the standard streams are opened, as required by POSIX and C. For + dynamic programs this is already handled in the dynamic loader. */ + __libc_check_standard_fds (); #endif /* Call the initializer of the program, if any. */ diff --git a/elf/dl-sysdep.c b/elf/dl-sysdep.c index 85457082..83070413 100644 --- a/elf/dl-sysdep.c +++ b/elf/dl-sysdep.c @@ -243,11 +243,8 @@ _dl_sysdep_start (void **start_argptr, __sbrk (GLRO(dl_pagesize) - ((_end - (char *) 0) & (GLRO(dl_pagesize) - 1))); - /* If this is a SUID program we make sure that FDs 0, 1, and 2 are - allocated. If necessary we are doing it ourself. If it is not - possible we stop the program. */ - if (__builtin_expect (__libc_enable_secure, 0)) - __libc_check_standard_fds (); + /* Ensure all the standard streams are open (C and POSIX require this) */ + __libc_check_standard_fds (); (*dl_main) (phdr, phnum, &user_entry, GLRO(dl_auxv)); return user_entry;