|
1 |
| -<p>Signalling processes is security-sensitive. It has led in the past to the following vulnerabilities:</p> |
2 |
| -<ul> |
3 |
| - <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0390">CVE-2009-0390</a> </li> |
4 |
| - <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0839">CVE-2002-0839</a> </li> |
5 |
| - <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671">CVE-2008-1671</a> </li> |
6 |
| -</ul> |
7 |
| -<p>Sending signals without checking properly which process will receive it can cause a denial of service.</p> |
| 1 | +<p>Signaling processes or process groups can seriously affect the stability of this application or other applications on the same system.</p> |
| 2 | +<p>Accidentally setting an incorrect <code>PID</code> or <code>signal</code> or allowing untrusted sources to assign arbitrary values to these |
| 3 | +parameters may result in a denial of service.</p> |
| 4 | +<p>Also, the system treats the signal differently if the destination <code>PID</code> is less than or equal to 0. This different behavior may affect |
| 5 | +multiple processes with the same (E)UID simultaneously if the call is left uncontrolled.</p> |
8 | 6 | <h2>Ask Yourself Whether</h2>
|
9 | 7 | <ul>
|
10 |
| - <li> the PID of the process to which the signal will be sent is coming from an untrusted source. It could for example come from a world-writable |
11 |
| - file. </li> |
12 |
| - <li> users who are asking for the signal to be sent might not have the permission to send those signals. </li> |
| 8 | + <li> The parameters <code>pid</code> and <code>sig</code> are untrusted (they come from an external source). </li> |
| 9 | + <li> This function is triggered by non-administrators. </li> |
| 10 | + <li> Signal handlers on the target processes stop important functions. </li> |
13 | 11 | </ul>
|
14 | 12 | <p>There is a risk if you answered yes to any of those questions.</p>
|
15 | 13 | <h2>Recommended Secure Coding Practices</h2>
|
16 | 14 | <ul>
|
17 |
| - <li> If the signal is sent because of a user’s request. Check that the user is allowed to send this signal. You can for example forbid it if the |
18 |
| - user doesn’t own the process. </li> |
19 |
| - <li> Secure the source from which the process PID is read. </li> |
20 |
| - <li> Run the process sending the signals with minimal permissions. </li> |
| 15 | + <li> For stateful applications with user management, ensure that only administrators trigger this code. </li> |
| 16 | + <li> Verify that the <code>pid</code> and <code>sig</code> parameters are correct before using them. </li> |
| 17 | + <li> Ensure that the process sending the signals runs with as few OS privileges as possible. </li> |
| 18 | + <li> Isolate the process on the system based on its (E)UID. </li> |
| 19 | + <li> Ensure that the signal does not interrupt any essential functions when intercepted by a target’s signal handlers. </li> |
21 | 20 | </ul>
|
22 | 21 | <h2>Sensitive Code Example</h2>
|
23 | 22 | <pre>
|
24 | 23 | import os
|
25 | 24 |
|
26 |
| -def send_signal(pid, sig, pgid): |
27 |
| - os.kill(pid, sig) # Sensitive |
28 |
| - os.killpg(pgid, sig) # Sensitive |
| 25 | +@app.route("/kill-pid/<pid>") |
| 26 | +def send_signal(pid): |
| 27 | + os.kill(pid, 9) # Sensitive |
| 28 | + |
| 29 | +@app.route("/kill-pgid/<pgid>") |
| 30 | +def send_signal(pgid): |
| 31 | + os.killpg(pgid, 9) # Sensitive |
| 32 | +</pre> |
| 33 | +<h2>Compliant Solution</h2> |
| 34 | +<pre> |
| 35 | +import os |
| 36 | + |
| 37 | +@app.route("/kill-pid/<pid>") |
| 38 | +def send_signal(pid): |
| 39 | + # Validate the untrusted PID, |
| 40 | + # With a pre-approved list or authorization checks |
| 41 | + if is_valid_pid(pid): |
| 42 | + os.kill(pid, 9) |
| 43 | + |
| 44 | +@app.route("/kill-pgid/<pgid>") |
| 45 | +def send_signal(pgid): |
| 46 | + # Validate the untrusted PGID, |
| 47 | + # With a pre-approved list or authorization checks |
| 48 | + if is_valid_pgid(pgid): |
| 49 | + os.kill(pgid, 9) |
29 | 50 | </pre>
|
30 | 51 | <h2>See</h2>
|
31 | 52 | <ul>
|
32 | 53 | <li> <a href="https://cwe.mitre.org/data/definitions/283">MITRE, CWE-283</a> - Unverified Ownership </li>
|
| 54 | + <li> <a href="https://man7.org/linux/man-pages/man1/kill.1.html">kill(1) — Linux manual page</a> </li> |
| 55 | + <li> <a href="https://man7.org/linux/man-pages/man2/kill.2.html">kill(2) — Linux manual page</a> </li> |
33 | 56 | </ul>
|
34 | 57 |
|
0 commit comments