Re: [Patch] Runtime interaction bug with sudo

[Patrick Donnelly <batrick () batbytes com>]

Hi Jay,

On Tue, May 6, 2014 at 9:37 AM, Jay Bosamiya <jaybosamiya () gmail com> wrote:
> Looking at [1] and the discussion before and after it, it seems like Patrick
> Donnelly and David Fifield
> have already looked into signals and the possibility of installing a signal
> handler. And according to
> [2], David says that it'd be better not to do anything complicated in a
> signal handler because of subtle
> security risks. However, I feel that a simple exit() in a signal handler for
> SIGINT would be a very
> simple way to work things out correctly and not add security risks. Correct
> me if I am wrong.

exit is not an "async-signal-safe" function as defined by [1]. The
main reason for this is because it calls fflush on all open files.

Calling tty_done directly from the signal handler would be okay
though. [Although, technically, changing tty_fd in tty_done is not
technically correct in a signal handler since its type is not
sig_atomic_t.] Then you could call _exit [2] (which is
async-signal-safe).

Any solution to this should preserve the abnormal termination of Nmap.
That is, the default signal handler should be restored and the signal
raised again. The main reason for this is to preserve the generation
of core dumps. You can look at an example solution I wrote for another
program here [3].

[1] http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
[2] http://pubs.opengroup.org/onlinepubs/009695399/functions/_exit.html
[3] https://github.com/cooperative-computing-lab/cctools/blob/master/chirp/src/chirp_server.c#L1893

-- 
Patrick Donnelly
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/