Project

General

Profile

Bug #7590

sendmsg on AF_UNIX socket fails after process drops privileges

Added by Gordon Ross about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
networking
Start date:
2016-11-16
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

\[ Sent to me by Jeremy Allison of the Samba team \]

Here is a test program that demonstrates
that Illumos has a problem in dealing with
permissions on UNIX domain sockets.

To reproduce, compile the attached program,
then become root. In the directory containing
the a.out binary do the following:

  1. mkdir t
  2. chown root t
  3. chmod 700 t
  4. ./a.out t/s 5000

The expected output (and indeed the output on Linux
and FreeBSD) will be:

non_priv_send - sendmsg fail (expected) Permission denied
CLIENT:TEST0
SERVER:TEST0
CLIENT:TEST1
SERVER:TEST1
CLIENT:TEST2
SERVER:TEST2
CLIENT:TEST3
SERVER:TEST3
CLIENT:TEST4
SERVER:TEST4

On Illumos we get:

non_priv_send - sendmsg fail (expected) Permission denied
CLIENT:TEST0
./sendtest - sendmsg fail Permission denied

The root of the issue is that the program connects
to the socket as root, and then expects to be able
to change to a non-privileged user and use the connected
socket file descriptor to call sendmsg().

On Linux and FreeBSD this works. On Illumos it fails.

This prevents a class of programs that want to start as
privileged, connect to a unix domain socket to talk to
a daemon, and then drop privileges for safety and still
use the connected fd (or pass the fd to another process).
i.e. privilege separation security.

As you might guess, this is something that Samba does
and without this it breaks our messaging subsystem on
Illumos.

Anything you can do to get this bug fixed would be
appreciated. Without a fix Samba on Illumos will
have to make all messaging synchronous which will
have performance implications and in the worst case
deadlocks if there are hidden dependencies in code
that works on other platforms.


Files

sendtest.c (4.83 KB) sendtest.c Gordon Ross, 2016-11-16 11:28 PM

History

#1

Updated by Gordon Ross about 3 years ago

Attached sendtest.c

#2

Updated by Gordon Ross about 3 years ago

Evaluation:

The problem here is due to failures in sendmsg(2) when
sending messages on a "connected" datagram socket,
where the sendmsg call is not specifying a destination.

The AF_UNIX transport has two forms of "address" to identify
endpoints: (1) the struct sockaddr_un exposed to applications,
and (2) an internal equivalent struct so_ux_addr. The internal
form is just a vnode pointer and a magic number. I'll refer to
these as external form and internal form, respectively.

Several functions supporting AF_UNIX accept either form,
and (as necessary) convert the external form to internal form
calling so_ux_addr_xlate() to do the conversion. Note that
this conversion needs to lookup the vnode for the pathname
in the external form AF_UNIX address.

That lookup is the cause of problems in this issue. When
sendmsg is called on a "connected" datagram socket (one
where a connect call has recorded a destination address)
and when that particular sendmsg call does not specify a
destination name, the AF_UNIX support code uses the
address stored by connect (as it should) but is uses the
external form address. This implies that, even though
this call did not specify an address, it ends up trying to
do a lookup to convert external to internal form. This can
fail when the process has dropped privileges.

The fix for this is fairly simple. When the connect call
stores the external form of address, it also stores the
internal form. In the cases where sendmsg is called
without a destination address, we should be using the
internal form of address we stored, and avoid doing
another (unnecessary) so_ux_addr_xlate() call.

Proposed fix out for review:
https://www.illumos.org/rb/r/269/

#3

Updated by Electric Monk over 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit f012ee0c3db17469b492c2cf757226f3d7b1ebbc

commit  f012ee0c3db17469b492c2cf757226f3d7b1ebbc
Author: Gordon Ross <gwr@nexenta.com>
Date:   2017-05-16T16:01:25.000Z

    7590 sendmsg on AF_UNIX socket fails after process drops privileges
    Portions contributed by: Jeremy Allison <jra@samba.org>
    Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

#4

Updated by Gordon Ross over 2 years ago

  • Status changed from Closed to Feedback

I opened a new issue for this instead. See: #8279

#5

Updated by Gordon Ross over 2 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF