Mason Loring Bliss <mason@acheron.middleboro.ma.us> writes:

> Maybe I'm missing something, and I apologize to the list if I'm spewing
> forth irrelevancies and wasting bandwidth, but it seems that /proc/*/mem on
> my system is always mode 0600. I don't think it's possible to run a copy of
> the file if you can't read or execute it...

It think the bug is that, when you fork(), you _can_ open the /proc/*/mem
file.  When the child calls exec(), the memory space is replaced with
the setuid file (in the example posted here, su) but you already have
/dev/*/mem open for that process.  The process ID doesn't change when
the child calls exec.

Now, you have a read/write fd open to a setuid processes's program space.
This is bad.

Can someone forward the FreeBSD fix for this?  I'll look at it and see if
I feel comfortable committing it.  If I don't, I'd still like to have
the patch asap :)

--Michael