Concerning possible bugs in the 'inn' package

Russ Allbery rra at stanford.edu
Fri Sep 2 22:22:04 UTC 2005


David Wagner <daw at cs.berkeley.edu> writes:

>> This problem only has security implications if one of the first three
>> file descriptors is closed, yes?  Isn't there a way to determine
>> whether a file descriptor is open or closed?  If so, we can just burn
>> file descriptors in the unusual case.

> Something like
>   close(0); close(1); close(2);
>   fd0 = open("/dev/null", O_RDONLY);
>   fd1 = open("/dev/null", O_RDONLY);
>   fd2 = open("/dev/null", O_WRONLY);
>   (if any of the closes or opens failed, die)
> ought to have the same effect.  In the normal case where the program is
> started with all fds 0,1,2 all opened, then this burns 0 fds.  In the case
> where you are under attack, who cares how many fds you burn?

> Am I missing something?

Well, rnews actually *wants* to use stdin, stdout, and stderr, if they're
available.  I'm starting to get talked into the idea that just always
burning three file descriptors is the best thing that can be done.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list