[PATCH] Set SOCKET_CLOEXEC on sockets returned by accept
Gary Lockyer
gary at catalyst.net.nz
Sun Dec 17 21:06:47 UTC 2017
Have updated the commit message.
Gary
On 15/12/17 20:43, Andrew Bartlett via samba-technical wrote:
> On Fri, 2017-12-15 at 08:16 +0100, Volker Lendecke via samba-technical
> wrote:
>> On Fri, Dec 15, 2017 at 02:32:03PM +1300, Gary Lockyer via samba-technical wrote:
>>> Patches to Set SOCKET_CLOEXEC on the sockets returned by accept.
>>> This means that the socket is not available to any child processes.
>>> Making it harder for exploit code to set up a command channel.
>>
>> Is the commit message really correct? I thought CLOEXEC only closes on
>> exec, not on fork. Where did you find that such sockets don't extend
>> to child processes, i.e. are closed on fork(2)?
>
> G'Day Volker,
>
> Yeah, that's a good point. A child process created by system() would be
> a better description.
>
> I asked Gary to do this one, the aim was to make simple attacks that
> call system() like this one a little more miserable:
>
> https://gist.github.com/worawit/051e881fc94fe4a49295
>
> Not much, and not enough but perhaps it helps mitigate things some day.
>
> Better practical steps or ideas on what might make Samba less
> exploitable are most welcome!
>
> Thanks,
>
> Andrew Bartlett
>
-------------- next part --------------
From 6c23c2b5f9cd768317f38a20fb7078b5ab8ab739 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:17:49 +1300
Subject: [PATCH 01/11] lib/tevent/echo_server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
lib/tevent/echo_server.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/tevent/echo_server.c b/lib/tevent/echo_server.c
index 6e7f181..3b2122d 100644
--- a/lib/tevent/echo_server.c
+++ b/lib/tevent/echo_server.c
@@ -118,6 +118,7 @@ static void accept_handler(struct tevent_context *ev, struct tevent_fd *fde,
tevent_req_error(req, errno);
return;
}
+ smb_set_close_on_exec(state->listen_sock);
state->sock = ret;
tevent_req_done(req);
}
--
2.7.4
From db83b500e18315776364f0dddd345f061c953ace Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:31:33 +1300
Subject: [PATCH 02/11] lib/async_req/async_sock.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
lib/async_req/async_sock.c | 1 +
lib/tevent/echo_server.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
index db3916e..0a8a333 100644
--- a/lib/async_req/async_sock.c
+++ b/lib/async_req/async_sock.c
@@ -738,6 +738,7 @@ static void accept_handler(struct tevent_context *ev, struct tevent_fd *fde,
tevent_req_error(req, errno);
return;
}
+ smb_set_close_on_exec(ret);
state->sock = ret;
tevent_req_done(req);
}
diff --git a/lib/tevent/echo_server.c b/lib/tevent/echo_server.c
index 3b2122d..f93d8bc 100644
--- a/lib/tevent/echo_server.c
+++ b/lib/tevent/echo_server.c
@@ -118,7 +118,7 @@ static void accept_handler(struct tevent_context *ev, struct tevent_fd *fde,
tevent_req_error(req, errno);
return;
}
- smb_set_close_on_exec(state->listen_sock);
+ smb_set_close_on_exec(ret);
state->sock = ret;
tevent_req_done(req);
}
--
2.7.4
From 3987e9737ea444d4b72a057c7849b39d866c1d75 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:36:08 +1300
Subject: [PATCH 03/11] ctdb/server/ctdb_daemon.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
ctdb/server/ctdb_daemon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ctdb/server/ctdb_daemon.c b/ctdb/server/ctdb_daemon.c
index 459dd29..35c1ab6 100644
--- a/ctdb/server/ctdb_daemon.c
+++ b/ctdb/server/ctdb_daemon.c
@@ -949,6 +949,7 @@ static void ctdb_accept_client(struct tevent_context *ev,
if (fd == -1) {
return;
}
+ smb_set_close_on_exec(fd);
ret = set_blocking(fd, false);
if (ret != 0) {
--
2.7.4
From f197b2650015d7cea14af3a9bd2c7cde79b6ce81 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:37:28 +1300
Subject: [PATCH 04/11] ctdb/tcp/tcp_connect.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
ctdb/tcp/tcp_connect.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ctdb/tcp/tcp_connect.c b/ctdb/tcp/tcp_connect.c
index 82f2e74..17aafc4 100644
--- a/ctdb/tcp/tcp_connect.c
+++ b/ctdb/tcp/tcp_connect.c
@@ -249,6 +249,7 @@ static void ctdb_listen_event(struct tevent_context *ev, struct tevent_fd *fde,
len = sizeof(addr);
fd = accept(ctcp->listen_fd, (struct sockaddr *)&addr, &len);
if (fd == -1) return;
+ smb_set_close_on_exec(fd);
nodeid = ctdb_ip_to_nodeid(ctdb, &addr);
--
2.7.4
From 6b8cb283b0038a65984fc20e6e3e0a014043dc5a Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:39:43 +1300
Subject: [PATCH 05/11] source3/rpc_server/rpc_server.c set socket close on
exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/rpc_server/rpc_server.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index e15cd20..94335b3 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -216,6 +216,7 @@ static void named_pipe_listener(struct tevent_context *ev,
}
return;
}
+ smb_set_close_on_exec(sd);
DEBUG(6, ("Accepted socket %d\n", sd));
@@ -722,6 +723,7 @@ static void dcerpc_ncacn_tcpip_listener(struct tevent_context *ev,
}
return;
}
+ smb_set_close_on_exec(s);
rc = tsocket_address_bsd_from_sockaddr(state,
(struct sockaddr *)(void *) &addr,
@@ -892,6 +894,7 @@ static void dcerpc_ncalrpc_listener(struct tevent_context *ev,
}
return;
}
+ smb_set_close_on_exec(sd);
rc = tsocket_address_bsd_from_sockaddr(state,
addr, len,
--
2.7.4
From 33385651448cd275ad3d28867314c21eb22da148 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:46:07 +1300
Subject: [PATCH 06/11] source3/lib/server_prefork.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/lib/server_prefork.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/lib/server_prefork.c b/source3/lib/server_prefork.c
index 1d64db2..52c11ad 100644
--- a/source3/lib/server_prefork.c
+++ b/source3/lib/server_prefork.c
@@ -620,6 +620,7 @@ static void prefork_listen_accept_handler(struct tevent_context *ev,
state->error, strerror(state->error)));
goto done;
}
+ smb_set_close_on_exec(sd);
state->accept_fd = sd;
--
2.7.4
From c30e6cff93a22cb43e46841e0e2afe383e64aecc Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:51:35 +1300
Subject: [PATCH 07/11] source3/smbd/server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/smbd/server.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index f8c1aa6..79786d6 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -975,6 +975,7 @@ static void smbd_accept_connection(struct tevent_context *ev,
strerror(errno)));
return;
}
+ smb_set_close_on_exec(fd);
if (s->parent->interactive) {
reinit_after_fork(msg_ctx, ev, true, NULL);
--
2.7.4
From 21f20df1b66b38531acf3dd276b01837fc2009e8 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:54:34 +1300
Subject: [PATCH 08/11] source3/libsmb/unexpected.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/libsmb/unexpected.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/libsmb/unexpected.c b/source3/libsmb/unexpected.c
index c645fbc..dd9ff7a 100644
--- a/source3/libsmb/unexpected.c
+++ b/source3/libsmb/unexpected.c
@@ -157,6 +157,7 @@ static void nb_packet_server_listener(struct tevent_context *ev,
if (sock == -1) {
return;
}
+ smb_set_close_on_exec(sock);
DEBUG(6,("accepted socket %d\n", sock));
client = talloc_zero(server, struct nb_packet_client);
--
2.7.4
From b1927748b5faef5127d76c9769a7ceb641866063 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:57:04 +1300
Subject: [PATCH 09/11] source3/utils/smbfilter.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/utils/smbfilter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/utils/smbfilter.c b/source3/utils/smbfilter.c
index 5a00a40..85aca4f 100644
--- a/source3/utils/smbfilter.c
+++ b/source3/utils/smbfilter.c
@@ -308,6 +308,7 @@ static void start_filter(char *desthost)
if ((num > 0) && (revents & (POLLIN|POLLHUP|POLLERR))) {
c = accept(s, (struct sockaddr *)&ss, &in_addrlen);
if (c != -1) {
+ smb_set_close_on_exec(c);
if (fork() == 0) {
close(s);
filter_child(c, &dest_ss);
--
2.7.4
From 5a2bbda1253b54551fe654b233f1e7d0c040042e Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 09:58:59 +1300
Subject: [PATCH 10/11] source3/winbindd/winbindd.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source3/winbindd/winbindd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 23e8a5e..fc7c169 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -874,6 +874,7 @@ static void new_connection(int listen_sock, bool privileged)
}
return;
}
+ smb_set_close_on_exec(sock);
DEBUG(6,("accepted socket %d\n", sock));
--
2.7.4
From 9e4a91adcb3b0244cdc4ceca57a2c0669d1c3a8e Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon, 11 Dec 2017 10:03:45 +1300
Subject: [PATCH 11/11] source4/lib/socket/socket_ip.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for exploit code to set up a command channel,
for example CVE-2015-0240
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
source4/lib/socket/socket_ip.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source4/lib/socket/socket_ip.c b/source4/lib/socket/socket_ip.c
index 6ec5252..87b7bf4 100644
--- a/source4/lib/socket/socket_ip.c
+++ b/source4/lib/socket/socket_ip.c
@@ -235,6 +235,8 @@ static NTSTATUS ipv4_accept(struct socket_context *sock, struct socket_context *
return map_nt_error_from_unix_common(errno);
}
}
+ smb_set_close_on_exec(new_fd);
+
/* TODO: we could add a 'accept_check' hook here
* which get the black/white lists via socket_set_accept_filter()
@@ -762,6 +764,7 @@ static NTSTATUS ipv6_tcp_accept(struct socket_context *sock, struct socket_conte
return map_nt_error_from_unix_common(errno);
}
}
+ smb_set_close_on_exec(new_fd);
/* TODO: we could add a 'accept_check' hook here
* which get the black/white lists via socket_set_accept_filter()
--
2.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171218/f064c15c/signature.sig>
More information about the samba-technical
mailing list