[PATCH] Set SOCKET_CLOEXEC on sockets returned by accept

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Set SOCKET_CLOEXEC on sockets returned by accept

Samba - samba-technical mailing list
Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
This means that the socket is not available to any child processes.
Making it harder for exploit code to set up a command channel.


Review and push appreciated
Gary


Set-SOCKET_CLOEXEC.patch.txt (15K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Set SOCKET_CLOEXEC on sockets returned by accept

Samba - samba-technical mailing list
On Fri, Dec 15, 2017 at 02:32:03PM +1300, Gary Lockyer via samba-technical wrote:
> Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
> This means that the socket is not available to any child processes.
> Making it harder for exploit code to set up a command channel.

Is the commit message really correct? I thought CLOEXEC only closes on
exec, not on fork. Where did you find that such sockets don't extend
to child processes, i.e. are closed on fork(2)?

Thanks,

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Set SOCKET_CLOEXEC on sockets returned by accept

Samba - samba-technical mailing list
On Fri, 2017-12-15 at 08:16 +0100, Volker Lendecke via samba-technical
wrote:
> On Fri, Dec 15, 2017 at 02:32:03PM +1300, Gary Lockyer via samba-technical wrote:
> > Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
> > This means that the socket is not available to any child processes.
> > Making it harder for exploit code to set up a command channel.
>
> Is the commit message really correct? I thought CLOEXEC only closes on
> exec, not on fork. Where did you find that such sockets don't extend
> to child processes, i.e. are closed on fork(2)?

G'Day Volker,

Yeah, that's a good point. A child process created by system() would be
a better description.

I asked Gary to do this one, the aim was to make simple attacks that
call system() like this one a little more miserable:

https://gist.github.com/worawit/051e881fc94fe4a49295

Not much, and not enough but perhaps it helps mitigate things some day.

Better practical steps or ideas on what might make Samba less
exploitable are most welcome!

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Set SOCKET_CLOEXEC on sockets returned by accept

Samba - samba-technical mailing list
Have updated the commit message.

Gary

On 15/12/17 20:43, Andrew Bartlett via samba-technical wrote:

> On Fri, 2017-12-15 at 08:16 +0100, Volker Lendecke via samba-technical
> wrote:
>> On Fri, Dec 15, 2017 at 02:32:03PM +1300, Gary Lockyer via samba-technical wrote:
>>> Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
>>> This means that the socket is not available to any child processes.
>>> Making it harder for exploit code to set up a command channel.
>>
>> Is the commit message really correct? I thought CLOEXEC only closes on
>> exec, not on fork. Where did you find that such sockets don't extend
>> to child processes, i.e. are closed on fork(2)?
>
> G'Day Volker,
>
> Yeah, that's a good point. A child process created by system() would be
> a better description.
>
> I asked Gary to do this one, the aim was to make simple attacks that
> call system() like this one a little more miserable:
>
> https://gist.github.com/worawit/051e881fc94fe4a49295
>
> Not much, and not enough but perhaps it helps mitigate things some day.
>
> Better practical steps or ideas on what might make Samba less
> exploitable are most welcome!
>
> Thanks,
>
> Andrew Bartlett
>

Set-SOCKET_CLOEXEC.patch.txt (16K) Download Attachment
signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Set SOCKET_CLOEXEC on sockets returned by accept

Samba - samba-technical mailing list
Hi Gary,

can you please squash the 2nd hunk of the 2nd commit to the first commit?

Thanks!
metze

Am 17.12.2017 um 22:06 schrieb Gary Lockyer via samba-technical:

> Have updated the commit message.
>
> Gary
>
> On 15/12/17 20:43, Andrew Bartlett via samba-technical wrote:
>> On Fri, 2017-12-15 at 08:16 +0100, Volker Lendecke via samba-technical
>> wrote:
>>> On Fri, Dec 15, 2017 at 02:32:03PM +1300, Gary Lockyer via samba-technical wrote:
>>>> Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
>>>> This means that the socket is not available to any child processes.
>>>> Making it harder for exploit code to set up a command channel.
>>>
>>> Is the commit message really correct? I thought CLOEXEC only closes on
>>> exec, not on fork. Where did you find that such sockets don't extend
>>> to child processes, i.e. are closed on fork(2)?
>>
>> G'Day Volker,
>>
>> Yeah, that's a good point. A child process created by system() would be
>> a better description.
>>
>> I asked Gary to do this one, the aim was to make simple attacks that
>> call system() like this one a little more miserable:
>>
>> https://gist.github.com/worawit/051e881fc94fe4a49295
>>
>> Not much, and not enough but perhaps it helps mitigate things some day.
>>
>> Better practical steps or ideas on what might make Samba less
>> exploitable are most welcome!
>>
>> Thanks,
>>
>> Andrew Bartlett
>>


signature.asc (853 bytes) Download Attachment