*BSD News Article 89235


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!newsfeed.direct.ca!nntp.portal.ca!news.bc.net!info.ucla.edu!nnrp.info.ucla.edu!psgrain!news.rain.net!pacifier!deraadt
From: deraadt@theos.com (Theo de Raadt)
Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix
Subject: Re: OpenBSD hides security fixes (and blindly integrates code)
Date: 16 Feb 1997 08:26:23 GMT
Organization: Theo Ports Kernels For Fun And Profit
Lines: 114
Message-ID: <DERAADT.97Feb16012623@zeus.pacifier.com>
References: <none-ya023480001912962244220001@news.infi.net>
	<DERAADT.97Feb15155022@zeus.pacifier.com> <5e5vkb$d89@panix2.panix.com>
	<DERAADT.97Feb15212032@zeus.pacifier.com> <5e69v0$1u4@news.bayarea.net>
NNTP-Posting-Host: zeus.theos.com
In-reply-to: thorpej@baygate.bayarea.net's message of 16 Feb 1997 06:37:20 GMT
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5392 comp.security.unix:31781

In article <5e69v0$1u4@news.bayarea.net> thorpej@baygate.bayarea.net (Jason R. Thorpe) writes:

   While I don't approve of this hack being done,

I'll bet you don't.

   it raises the question
   of whether OpenBSD can rightfully claim to be secure.

Code which fails to boot has little to do with security.

   Secondly, the OpenBSD project does not exactly go out of their way to
   make it easy for others to integrate the "security" fixes.  One such
   example is OpenBSD's src/usr.bin/rsh/rsh.c, where an apparent security
   fix was committed in a revision containing the following log message:

   ----------------------------
   revision 1.5
   date: 1996/07/22 10:09:04;  author: deraadt;  state: Exp;  lines: +2 -7
   rcsid cleanup
   ----------------------------

   The change, was to drop the effective uid set by exec'ing rsh.  (One
   has to wonder _why_ this was done, given that the code path just
   does and exec's rlogin, which it setuid-root anyhow...)

   Care to explain?

You mean this change?

----------------------------
revision 1.5
date: 1996/07/22 10:09:04;  author: deraadt;  state: Exp;  lines: +2 -7
rcsid cleanup
----------------------------

Index: rsh.c
===================================================================
RCS file: /cvs/src/usr.bin/rsh/rsh.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- rsh.c	1996/06/26 05:38:49	1.4
+++ rsh.c	1996/07/22 10:09:04	1.5
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rsh.c,v 1.4 1996/06/26 05:38:49 deraadt Exp $	*/
+/*	$OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1983, 1990 The Regents of the University of California.
@@ -41,13 +41,8 @@
 
 #ifndef lint
 /*static char sccsid[] = "from: @(#)rsh.c	5.24 (Berkeley) 7/1/91";*/
-static char rcsid[] = "$OpenBSD: rsh.c,v 1.4 1996/06/26 05:38:49 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $";
 #endif /* not lint */
-
-/*
- * $Source: /cvs/src/usr.bin/rsh/rsh.c,v $
- * $Header: /cvs/src/usr.bin/rsh/rsh.c,v 1.4 1996/06/26 05:38:49 deraadt Exp $
- */
 
 #include <sys/types.h>
 #include <sys/socket.h>


I suspect you instead are referring to:

----------------------------
revision 1.6
date: 1996/07/24 17:31:08;  author: deraadt;  state: Exp;  lines: +3 -2
normal uid before execv
----------------------------

Index: rsh.c
===================================================================
RCS file: /cvs/src/usr.bin/rsh/rsh.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- rsh.c	1996/07/22 10:09:04	1.5
+++ rsh.c	1996/07/24 17:31:08	1.6
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $	*/
+/*	$OpenBSD: rsh.c,v 1.6 1996/07/24 17:31:08 deraadt Exp $	*/
 
 /*-
  * Copyright (c) 1983, 1990 The Regents of the University of California.
@@ -41,7 +41,7 @@
 
 #ifndef lint
 /*static char sccsid[] = "from: @(#)rsh.c	5.24 (Berkeley) 7/1/91";*/
-static char rcsid[] = "$OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: rsh.c,v 1.6 1996/07/24 17:31:08 deraadt Exp $";
 #endif /* not lint */
 
 #include <sys/types.h>
@@ -163,6 +163,7 @@
 	if (!argv[optind]) {
 		if (asrsh)
 			*argv = "rlogin";
+		setuid(getuid());
 		execv(_PATH_RLOGIN, argv);
 		(void)fprintf(stderr, "rsh: can't exec %s.\n", _PATH_RLOGIN);
 		exit(1);


Can't you read CVS output?

I am not going to explain the patch.
--
This space not left unintentionally unblank.		deraadt@theos.com
www.OpenBSD.org -- We're fixing security problems so you can sleep at night.