Re: F_SETOWN...

Rene Janssen (rjanssen@ns.oke.nl)
Mon, 23 Nov 1998 09:49:18 +0100


At 03:09 PM 11/22/98 -0500, Ricky Beam wrote:
>I'll assume no one else has seen this...
><URL:http://www.rootshell.com/archive-j457nxiqi3gq59dv/199811/shits.c.html>
>
>Basically, it's a way to "trick" the kernel into sending SIGIO to any
process.

I checked this, but I couldnt kill any process. Have you ?

>fs/fcntl.c:161... (2.1.126)
> case F_SETOWN:
> err = 0;
> filp->f_owner.pid = arg;
> filp->f_owner.uid = current->uid;
> filp->f_owner.euid = current->euid;
> if (S_ISSOCK (filp->f_dentry->d_inode->i_mode))
> err = sock_fcntl (filp, F_SETOWN, arg);
> break;
>
>Does no one else think that's just a little on the brain damaged side? No
>sanity checks what-so-ever in handing a filedesc to an arbitrary process
>number... no permissions check, no pid check, nothing.

They are checked when the signal is supposed to be send.

>If they are "for sockets", then why isn't there any check to see that the
>filp actually is a socket before screwing with it? In fact, why isn't it
>in net/core/sock.c under sock_fcntl? And then why doesn't it set the uids
>to match arg?

No they are not just for sockets but ttys also, so the comments are a bit
misleading yes.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/