Project

General

Profile

Actions

Bug #7590

closed

sendmsg on AF_UNIX socket fails after process drops privileges

Added by Gordon Ross about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
networking
Start date:
2016-11-16
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

\[ Sent to me by Jeremy Allison of the Samba team \]

Here is a test program that demonstrates
that Illumos has a problem in dealing with
permissions on UNIX domain sockets.

To reproduce, compile the attached program,
then become root. In the directory containing
the a.out binary do the following:

  1. mkdir t
  2. chown root t
  3. chmod 700 t
  4. ./a.out t/s 5000

The expected output (and indeed the output on Linux
and FreeBSD) will be:

non_priv_send - sendmsg fail (expected) Permission denied
CLIENT:TEST0
SERVER:TEST0
CLIENT:TEST1
SERVER:TEST1
CLIENT:TEST2
SERVER:TEST2
CLIENT:TEST3
SERVER:TEST3
CLIENT:TEST4
SERVER:TEST4

On Illumos we get:

non_priv_send - sendmsg fail (expected) Permission denied
CLIENT:TEST0
./sendtest - sendmsg fail Permission denied

The root of the issue is that the program connects
to the socket as root, and then expects to be able
to change to a non-privileged user and use the connected
socket file descriptor to call sendmsg().

On Linux and FreeBSD this works. On Illumos it fails.

This prevents a class of programs that want to start as
privileged, connect to a unix domain socket to talk to
a daemon, and then drop privileges for safety and still
use the connected fd (or pass the fd to another process).
i.e. privilege separation security.

As you might guess, this is something that Samba does
and without this it breaks our messaging subsystem on
Illumos.

Anything you can do to get this bug fixed would be
appreciated. Without a fix Samba on Illumos will
have to make all messaging synchronous which will
have performance implications and in the worst case
deadlocks if there are hidden dependencies in code
that works on other platforms.


Files

sendtest.c (4.83 KB) sendtest.c Gordon Ross, 2016-11-16 11:28 PM

Related issues

Related to illumos gate - Bug #8279: socketpair(AF_UNIX, SOCK_DGRAM,...) broken after 7590ClosedGordon Ross2017-05-27

Actions
Actions

Also available in: Atom PDF