From ffead1cbcaa1db5db525403043e27d618af8752b Mon Sep 17 00:00:00 2001
From: Sergey Bugaev <bugaevc@gmail.com>
Date: Sat, 29 May 2021 17:56:38 +0300
Subject: libshouldbeinlibc: Do not reauthenticate proc port when secure

exec_reauth () is supposed to reauthenticate the given ports and file
descriptors with a new authentication. If the secure flag is set, this
reauthentication is happening for a future exec with the EXEC_SECURE
flag.

Now that the exec server uses proc_reauthenticate_reassign (), the process
reauthentication is done atomically with task reassignment by the exec
server. So stop doing it inside exec_reauth ().

This fixes a vulnerability where a process was able to use its
reauthenticated proc port before it got exec'ed over.
---
 libfshelp/exec-reauth.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'libfshelp/exec-reauth.c')

diff --git a/libfshelp/exec-reauth.c b/libfshelp/exec-reauth.c
index d9a82974..9b6087c7 100644
--- a/libfshelp/exec-reauth.c
+++ b/libfshelp/exec-reauth.c
@@ -33,12 +33,13 @@ exec_reauth (auth_t auth, int secure, int must_reauth,
 
 /* If SUID or SGID is true, adds UID and/or GID respectively to the
    authentication in PORTS[INIT_PORT_AUTH], and replaces it with the result.
-   All the other ports in PORTS and FDS are then reauthenticated, using any
-   privileges available through AUTH.  If GET_FILE_IDS is non-NULL, and the
-   auth port in PORTS[INIT_PORT_AUTH] is bogus, it is called to get a list of
-   uids and gids from the file to use as a replacement.  If SECURE is
-   non-NULL, whether not the added ids are new is returned in it.  If either
-   the uid or gid case fails, then the other may still be applied.  */
+   All the other ports in PORTS and FDS (except for PORTS[INIT_PORT_EXEC], if
+   SECURE ends up being true) are then reauthenticated, using any privileges
+   available through AUTH.  If GET_FILE_IDS is non-NULL, and the auth port in
+   PORTS[INIT_PORT_AUTH] is bogus, it is called to get a list of uids and gids
+   from the file to use as a replacement.  If SECURE is non-NULL, whether not
+   the added ids are new is returned in it.  If either the uid or gid case
+   fails, then the other may still be applied.  */
 error_t
 fshelp_exec_reauth (int suid, uid_t uid, int sgid, gid_t gid,
 		    auth_t auth,
-- 
cgit v1.2.3