Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!cmcl2!rocky2!rna!n44a!wjh12!genrad!decvax!harpo!ulysses!mhuxl!ihnp4!oddjob!matt From: matt@oddjob.UUCP Newsgroups: net.bugs.4bsd,net.unix-wizards Subject: Re: bug in signals and setuid in 4.2 bsd. Message-ID: <138@oddjob.UUCP> Date: Sun, 29-Apr-84 19:06:08 EDT Article-I.D.: oddjob.138 Posted: Sun Apr 29 19:06:08 1984 Date-Received: Wed, 9-May-84 06:02:50 EDT References: <274@nmtvax.UUCP> Lines: 70 While checking out nmtvax!fred's report, I found another... Subject: sending SIGCONT to child proc not *always* allowed Index: sys/kern_sig.c 4.2BSD Description: The manual for kill(2) states "...the signal SIGCONT ... may always be sent to any child or grandchild of the current process.", but this is true only if the signal is sent to the entire process group via kill(0, SIGCONT) or killpg(). Repeat-By: Compile the following programs and make "child" suid to some other user than "parent", then run parent (not as root). ------------parent.c----------- #include #include #include main() { int pid; if ( pid = fork() ) { sleep(5); if ( kill(pid, SIGCONT) ) perror("CONT"); fprintf(stderr, "Parent exitting.\n"); } else { execv("child", 0); fprintf(stderr, "Can't exec.\n"); } } ------------child.c----------- #include #include main() { fprintf(stderr, "Child started.\n"); kill(getpid(), SIGSTOP); fprintf(stderr, "Continued OK.\n"); } ------------------------------- Fix: This could be intended to allow suid processes to protect themselves from SIGCONT by using setpgrp(0, getpid()), but I don't see why... If this is not a "feature" then the following >>untested<< change to kill1() in sys/kern_sig.c should fix it. Change: ---------------------- if (who > 0 && !ispgrp) { p = pfind(who); if (p == 0) return (ESRCH); * if (u.u_uid && u.u_uid != p->p_uid) return (EPERM); ---------------------- to: ********************** if (who > 0 && !ispgrp) { p = pfind(who); if (p == 0) return (ESRCH); * if (u.u_uid && u.u_uid != p->p_uid && * (signo != SIGCONT || !inferior(p))) return (EPERM); *********************************