Mercurial > illumos > illumos-gate

changeset 12651:a33209c74758

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6952217 pfexec doesn't work with native commands
author <gerald.jelinek@sun.com>
date Fri, 18 Jun 2010 14:37:08 -0600
parents 160f1ef36195
children 64c37fd33275
files usr/src/lib/brand/shared/zone/common.ksh usr/src/lib/brand/solaris10/cmd/Makefile usr/src/lib/brand/solaris10/cmd/s10_automount.sh usr/src/lib/brand/solaris10/cmd/s10_automountd.sh usr/src/lib/brand/solaris10/cmd/s10_isaexec_wrapper.sh usr/src/lib/brand/solaris10/zone/s10_boot.ksh usr/src/pkg/manifests/system-zones-brand-s10.mf usr/src/uts/common/exec/elf/elf.c
diffstat 8 files changed, 51 insertions(+), 102 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/lib/brand/shared/zone/common.ksh	Fri Jun 18 13:01:44 2010 -0700
+++ b/usr/src/lib/brand/shared/zone/common.ksh	Fri Jun 18 14:37:08 2010 -0600
@@ -186,7 +186,7 @@
 	fi
 
 	cat <<-END >$filename || exit 1
-	#!/bin/sh
+	#!/bin/sh -p
 	#
 	# Solaris Brand Replacement
 	#
--- a/usr/src/lib/brand/solaris10/cmd/Makefile	Fri Jun 18 13:01:44 2010 -0700
+++ b/usr/src/lib/brand/solaris10/cmd/Makefile	Fri Jun 18 14:37:08 2010 -0600
@@ -22,8 +22,7 @@
 # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
-PROGS =		s10_native s10_isaexec_wrapper s10_python_wrapper \
-		s10_automount s10_automountd
+PROGS =		s10_native s10_isaexec_wrapper s10_python_wrapper
 
 include $(SRC)/cmd/Makefile.cmd
 include ../Makefile.s10
--- a/usr/src/lib/brand/solaris10/cmd/s10_automount.sh	Fri Jun 18 13:01:44 2010 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,42 +0,0 @@
-#!/bin/sh
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-
-#
-# All native executables must be run using the native linker.
-# By default, the kernel loads the linker at /lib/ld.so.1, which
-# in an s10 zone is the s10 linker.  Hence when we run the native
-# executable below, we explicitly specify /.SUNWnative/lib/ld.so.1 as our
-# linker.  For convience we define "n" to be the native path prefix.
-#
-n=/.SUNWnative
-LD_NOCONFIG=1
-LD_LIBRARY_PATH_32=$n/lib:$n/usr/lib:$n/usr/lib/mps
-LD_LIBRARY_PATH_64=$n/lib/64:$n/usr/lib/64:$n/usr/lib/mps/64
-LD_PRELOAD_32=s10_npreload.so.1
-LD_PRELOAD_64=s10_npreload.so.1
-export LD_NOCONFIG
-export LD_LIBRARY_PATH_32 LD_LIBRARY_PATH_64 LD_PRELOAD_32 LD_PRELOAD_64
-exec /.SUNWnative/usr/lib/brand/solaris10/s10_native \
-	/.SUNWnative/lib/ld.so.1 /.SUNWnative/usr/lib/fs/autofs/automount "$@"
--- a/usr/src/lib/brand/solaris10/cmd/s10_automountd.sh	Fri Jun 18 13:01:44 2010 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,42 +0,0 @@
-#!/bin/sh
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
-#
-
-#
-# All native executables must be run using the native linker.
-# By default, the kernel loads the linker at /lib/ld.so.1, which
-# in an s10 zone is the s10 linker.  Hence when we run the native
-# executable below, we explicitly specify /.SUNWnative/lib/ld.so.1 as our
-# linker.  For convience we define "n" to be the native path prefix.
-#
-n=/.SUNWnative
-LD_NOCONFIG=1
-LD_LIBRARY_PATH_32=$n/lib:$n/usr/lib:$n/usr/lib/mps
-LD_LIBRARY_PATH_64=$n/lib/64:$n/usr/lib/64:$n/usr/lib/mps/64
-LD_PRELOAD_32=s10_npreload.so.1
-LD_PRELOAD_64=s10_npreload.so.1
-export LD_NOCONFIG
-export LD_LIBRARY_PATH_32 LD_LIBRARY_PATH_64 LD_PRELOAD_32 LD_PRELOAD_64
-exec /.SUNWnative/usr/lib/brand/solaris10/s10_native \
-	/.SUNWnative/lib/ld.so.1 /.SUNWnative/usr/lib/autofs/automountd "$@"
--- a/usr/src/lib/brand/solaris10/cmd/s10_isaexec_wrapper.sh	Fri Jun 18 13:01:44 2010 -0700
+++ b/usr/src/lib/brand/solaris10/cmd/s10_isaexec_wrapper.sh	Fri Jun 18 14:37:08 2010 -0600
@@ -19,8 +19,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
-# Use is subject to license terms.
+# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
 #
 
 #
@@ -34,6 +33,12 @@
 # executable below, we explicitly specify /.SUNWnative/lib/ld.so.1 as our 32-
 # bit linker and /.SUNWnative/lib/64/ld.so.1 as our 64-bit linker.
 # For convience we define "n" to be the native path prefix.
+# The initial s10_native argument is used as a way to tell the brand
+# emulation that it needs to set up the process to run as an unbranded
+# process.
+#
+# If this script gets setup with a mode that makes it suid, then things won't
+# work because the script will be running with the incorrect name.
 #
 bname=`/usr/bin/basename $0`
 dname=`/usr/bin/dirname $0`
@@ -44,6 +49,27 @@
     >/dev/null && arch64=/64/
 n=/.SUNWnative
 
+unset LD_AUDIT
+unset LD_AUDIT_32
+unset LD_AUDIT_64
+unset LD_CONFIG
+unset LD_CONFIG_32
+unset LD_CONFIG_64
+unset LD_FLAGS
+unset LD_FLAGS_32
+unset LD_FLAGS_64
+unset LD_LOADFLTR
+unset LD_LOADFLTR_32
+unset LD_LOADFLTR_64
+unset LD_ORIGIN
+unset LD_ORIGIN_32
+unset LD_ORIGIN_64
+unset LD_SIGNAL
+unset LD_SIGNAL_32
+unset LD_SIGNAL_64
+unset LD_PRELOAD
+unset LD_LIBRARY_PATH
+
 LD_NOCONFIG=1
 LD_LIBRARY_PATH_32=$n/lib:$n/usr/lib:$n/usr/lib/mps
 LD_LIBRARY_PATH_64=$n/lib/64:$n/usr/lib/64:$n/usr/lib/mps/64
@@ -53,4 +79,3 @@
 export LD_LIBRARY_PATH_32 LD_LIBRARY_PATH_64 LD_PRELOAD_32 LD_PRELOAD_64
 exec /.SUNWnative/usr/lib/brand/solaris10/s10_native \
     /.SUNWnative/lib${arch64}ld.so.1 /.SUNWnative$dname/$bname "$@"
-
--- a/usr/src/lib/brand/solaris10/zone/s10_boot.ksh	Fri Jun 18 13:01:44 2010 -0700
+++ b/usr/src/lib/brand/solaris10/zone/s10_boot.ksh	Fri Jun 18 14:37:08 2010 -0600
@@ -135,7 +135,9 @@
 #
 safe_dir /usr
 safe_dir /usr/lib
+safe_dir /usr/lib/autofs
 safe_dir /usr/lib/fs
+safe_dir /usr/lib/fs/autofs
 safe_dir /usr/lib/fs/ufs
 safe_dir /usr/lib/fs/zfs
 safe_dir /usr/lib/zfs
@@ -182,14 +184,8 @@
 #
 # Replace automount and automountd with native wrappers.
 #
-if [ ! -h $ZONEROOT/usr/lib/fs/autofs -a -d $ZONEROOT/usr/lib/fs/autofs ]; then
-	safe_replace $ZONEROOT/usr/lib/fs/autofs/automount \
-	    $BRANDDIR/s10_automount 0555 root:bin remove
-fi
-if [ ! -h $ZONEROOT/usr/lib/autofs -a -d $ZONEROOT/usr/lib/autofs ]; then
-	safe_replace $ZONEROOT/usr/lib/autofs/automountd \
-	    $BRANDDIR/s10_automountd 0555 root:bin remove
-fi
+replace_with_native /usr/lib/fs/autofs/automount 0555 root:bin
+replace_with_native /usr/lib/autofs/automountd 0555 root:bin
 
 #
 # The class-specific dispadmin(1M) and priocntl(1) binaries must be native
--- a/usr/src/pkg/manifests/system-zones-brand-s10.mf	Fri Jun 18 13:01:44 2010 -0700
+++ b/usr/src/pkg/manifests/system-zones-brand-s10.mf	Fri Jun 18 14:37:08 2010 -0600
@@ -79,8 +79,6 @@
 file path=usr/lib/brand/solaris10/poststate mode=0755
 file path=usr/lib/brand/solaris10/prestate mode=0755
 file path=usr/lib/brand/solaris10/preuninstall mode=0755
-file path=usr/lib/brand/solaris10/s10_automount mode=0755
-file path=usr/lib/brand/solaris10/s10_automountd mode=0755
 file path=usr/lib/brand/solaris10/s10_boot mode=0755
 file path=usr/lib/brand/solaris10/s10_isaexec_wrapper mode=0755
 file path=usr/lib/brand/solaris10/s10_native mode=0755
--- a/usr/src/uts/common/exec/elf/elf.c	Fri Jun 18 13:01:44 2010 -0700
+++ b/usr/src/uts/common/exec/elf/elf.c	Fri Jun 18 14:37:08 2010 -0600
@@ -20,8 +20,7 @@
  */
 
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 1989, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
@@ -729,6 +728,22 @@
 		 */
 		if ((setid &= ~EXECSETID_SETID) != 0)
 			auxf |= AF_SUN_SETUGID;
+
+		/*
+		 * If we're running a native process from within a branded
+		 * zone under pfexec then we clear the AF_SUN_SETUGID flag so
+		 * that the native ld.so.1 is able to link with the native
+		 * libraries instead of using the brand libraries that are
+		 * installed in the zone.  We only do this for processes
+		 * which we trust because we see they are already running
+		 * under pfexec (where uid != euid).  This prevents a
+		 * malicious user within the zone from crafting a wrapper to
+		 * run native suid commands with unsecure libraries interposed.
+		 */
+		if ((brand_action == EBA_NATIVE) && (PROC_IS_BRANDED(p) &&
+		    (setid &= ~EXECSETID_SETID) != 0))
+			auxf &= ~AF_SUN_SETUGID;
+
 		/*
 		 * Record the user addr of the auxflags aux vector entry
 		 * since brands may optionally want to manipulate this field.