[PATCH] Set SOCKET_CLOEXEC on sockets returned by accept
Gary Lockyer
gary at catalyst.net.nz
Fri Dec 15 01:32:03 UTC 2017
Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
This means that the socket is not available to any child processes.
Making it harder for exploit code to set up a command channel.
Review and push appreciated
Gary
-------------- next part --------------
From 6c23c2b5f9cd768317f38a20fb7078b5ab8ab739 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:17:49 +1300
Subject: [PATCH 01/11] lib/tevent/echo_server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
lib/tevent/echo_server.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/tevent/echo_server.c b/lib/tevent/echo_server.c
index 6e7f181..3b2122d 100644
--- a/lib/tevent/echo_server.c
+++ b/lib/tevent/echo_server.c
@@ -118,6 +118,7 @@ static void accept_handler(struct tevent_context *ev, struct tevent_fd *fde,
tevent_req_error(req, errno);
return;
}
+ smb_set_close_on_exec(state->listen_sock);
state->sock = ret;
tevent_req_done(req);
}
--
2.7.4
From db83b500e18315776364f0dddd345f061c953ace Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:31:33 +1300
Subject: [PATCH 02/11] lib/async_req/async_sock.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
lib/async_req/async_sock.c | 1 +
lib/tevent/echo_server.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index db3916e..0a8a333 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -738,6 +738,7 @@ static void accept_handler(struct tevent_context *ev, struct tevent_fd *fde,
tevent_req_error(req, errno);
return;
}
+ smb_set_close_on_exec(ret);
state->sock = ret;
tevent_req_done(req);
}
diff --git a/lib/tevent/echo_server.c b/lib/tevent/echo_server.c
index 3b2122d..f93d8bc 100644
--- a/lib/tevent/echo_server.c
+++ b/lib/tevent/echo_server.c
@@ -118,7 +118,7 @@ static void accept_handler(struct tevent_context *ev, struct tevent_fd *fde,
tevent_req_error(req, errno);
return;
}
- smb_set_close_on_exec(state->listen_sock);
+ smb_set_close_on_exec(ret);
state->sock = ret;
tevent_req_done(req);
}
--
2.7.4
From 3987e9737ea444d4b72a057c7849b39d866c1d75 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:36:08 +1300
Subject: [PATCH 03/11] ctdb/server/ctdb_daemon.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
ctdb/server/ctdb_daemon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 459dd29..35c1ab6 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -949,6 +949,7 @@ static void ctdb_accept_client(struct tevent_context *ev,
if (fd == -1) {
return;
}
+ smb_set_close_on_exec(fd);
ret = set_blocking(fd, false);
if (ret != 0) {
--
2.7.4
From f197b2650015d7cea14af3a9bd2c7cde79b6ce81 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:37:28 +1300
Subject: [PATCH 04/11] ctdb/tcp/tcp_connect.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
ctdb/tcp/tcp_connect.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ctdb/tcp/tcp_connect.c b/ctdb/tcp/tcp_connect.c
index 82f2e74..17aafc4 100644
--- a/ctdb/tcp/tcp_connect.c
+++ b/ctdb/tcp/tcp_connect.c
@@ -249,6 +249,7 @@ static void ctdb_listen_event(struct tevent_context *ev, struct tevent_fd *fde,
len = sizeof(addr);
fd = accept(ctcp->listen_fd, (struct sockaddr *)&addr, &len);
if (fd == -1) return;
+ smb_set_close_on_exec(fd);
nodeid = ctdb_ip_to_nodeid(ctdb, &addr);
--
2.7.4
From 6b8cb283b0038a65984fc20e6e3e0a014043dc5a Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:39:43 +1300
Subject: [PATCH 05/11] source3/rpc_server/rpc_server.c set socket close on
exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/rpc_server/rpc_server.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index e15cd20..94335b3 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -216,6 +216,7 @@ static void named_pipe_listener(struct tevent_context *ev,
}
return;
}
+ smb_set_close_on_exec(sd);
DEBUG(6, ("Accepted socket %d\n", sd));
@@ -722,6 +723,7 @@ static void dcerpc_ncacn_tcpip_listener(struct tevent_context *ev,
}
return;
}
+ smb_set_close_on_exec(s);
rc = tsocket_address_bsd_from_sockaddr(state,
(struct sockaddr *)(void *) &addr,
@@ -892,6 +894,7 @@ static void dcerpc_ncalrpc_listener(struct tevent_context *ev,
}
return;
}
+ smb_set_close_on_exec(sd);
rc = tsocket_address_bsd_from_sockaddr(state,
addr, len,
--
2.7.4
From 33385651448cd275ad3d28867314c21eb22da148 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:46:07 +1300
Subject: [PATCH 06/11] source3/lib/server_prefork.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/lib/server_prefork.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/lib/server_prefork.c b/source3/lib/server_prefork.c
index 1d64db2..52c11ad 100644
--- a/source3/lib/server_prefork.c
+++ b/source3/lib/server_prefork.c
@@ -620,6 +620,7 @@ static void prefork_listen_accept_handler(struct tevent_context *ev,
state->error, strerror(state->error)));
goto done;
}
+ smb_set_close_on_exec(sd);
state->accept_fd = sd;
--
2.7.4
From c30e6cff93a22cb43e46841e0e2afe383e64aecc Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:51:35 +1300
Subject: [PATCH 07/11] source3/smbd/server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/smbd/server.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index f8c1aa6..79786d6 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -975,6 +975,7 @@ static void smbd_accept_connection(struct tevent_context *ev,
strerror(errno)));
return;
}
+ smb_set_close_on_exec(fd);
if (s->parent->interactive) {
reinit_after_fork(msg_ctx, ev, true, NULL);
--
2.7.4
From 21f20df1b66b38531acf3dd276b01837fc2009e8 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:54:34 +1300
Subject: [PATCH 08/11] source3/libsmb/unexpected.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/libsmb/unexpected.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/libsmb/unexpected.c b/source3/libsmb/unexpected.c
index c645fbc..dd9ff7a 100644
--- a/source3/libsmb/unexpected.c
+++ b/source3/libsmb/unexpected.c
@@ -157,6 +157,7 @@ static void nb_packet_server_listener(struct tevent_context *ev,
if (sock == -1) {
return;
}
+ smb_set_close_on_exec(sock);
DEBUG(6,("accepted socket %d\n", sock));
client = talloc_zero(server, struct nb_packet_client);
--
2.7.4
From b1927748b5faef5127d76c9769a7ceb641866063 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:57:04 +1300
Subject: [PATCH 09/11] source3/utils/smbfilter.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/utils/smbfilter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c
index 5a00a40..85aca4f 100644
--- a/source3/utils/smbfilter.c
+++ b/source3/utils/smbfilter.c
@@ -308,6 +308,7 @@ static void start_filter(char *desthost)
if ((num > 0) && (revents & (POLLIN|POLLHUP|POLLERR))) {
c = accept(s, (struct sockaddr *)&ss, &in_addrlen);
if (c != -1) {
+ smb_set_close_on_exec(c);
if (fork() == 0) {
close(s);
filter_child(c, &dest_ss);
--
2.7.4
From 5a2bbda1253b54551fe654b233f1e7d0c040042e Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:58:59 +1300
Subject: [PATCH 10/11] source3/winbindd/winbindd.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/winbindd/winbindd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 23e8a5e..fc7c169 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -874,6 +874,7 @@ static void new_connection(int listen_sock, bool privileged)
}
return;
}
+ smb_set_close_on_exec(sock);
DEBUG(6,("accepted socket %d\n", sock));
--
2.7.4
From 9e4a91adcb3b0244cdc4ceca57a2c0669d1c3a8e Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 10:03:45 +1300
Subject: [PATCH 11/11] source4/lib/socket/socket_ip.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This means that
the socket is not available to any child processes. Making it harder
for exploit code to set up a command channel.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source4/lib/socket/socket_ip.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source4/lib/socket/socket_ip.c b/source4/lib/socket/socket_ip.c
index 6ec5252..87b7bf4 100644
--- a/source4/lib/socket/socket_ip.c
+++ b/source4/lib/socket/socket_ip.c
@@ -235,6 +235,8 @@ static NTSTATUS ipv4_accept(struct socket_context *sock, struct socket_context *
return map_nt_error_from_unix_common(errno);
}
}
+ smb_set_close_on_exec(new_fd);
+
/* TODO: we could add a 'accept_check' hook here
* which get the black/white lists via socket_set_accept_filter()
@@ -762,6 +764,7 @@ static NTSTATUS ipv6_tcp_accept(struct socket_context *sock, struct socket_conte
return map_nt_error_from_unix_common(errno);
}
}
+ smb_set_close_on_exec(new_fd);
/* TODO: we could add a 'accept_check' hook here
* which get the black/white lists via socket_set_accept_filter()
--
2.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171215/1c22a4f5/signature-0001.sig>
More information about the samba-technical
mailing list