Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!newsfeed.direct.ca!nntp.portal.ca!news.bc.net!info.ucla.edu!nnrp.info.ucla.edu!psgrain!news.rain.net!pacifier!deraadt From: deraadt@theos.com (Theo de Raadt) Newsgroups: comp.unix.bsd.netbsd.misc,comp.security.unix Subject: Re: OpenBSD hides security fixes (and blindly integrates code) Date: 16 Feb 1997 08:26:23 GMT Organization: Theo Ports Kernels For Fun And Profit Lines: 114 Message-ID: <DERAADT.97Feb16012623@zeus.pacifier.com> References: <none-ya023480001912962244220001@news.infi.net> <DERAADT.97Feb15155022@zeus.pacifier.com> <5e5vkb$d89@panix2.panix.com> <DERAADT.97Feb15212032@zeus.pacifier.com> <5e69v0$1u4@news.bayarea.net> NNTP-Posting-Host: zeus.theos.com In-reply-to: thorpej@baygate.bayarea.net's message of 16 Feb 1997 06:37:20 GMT Xref: euryale.cc.adfa.oz.au comp.unix.bsd.netbsd.misc:5392 comp.security.unix:31781 In article <5e69v0$1u4@news.bayarea.net> thorpej@baygate.bayarea.net (Jason R. Thorpe) writes: While I don't approve of this hack being done, I'll bet you don't. it raises the question of whether OpenBSD can rightfully claim to be secure. Code which fails to boot has little to do with security. Secondly, the OpenBSD project does not exactly go out of their way to make it easy for others to integrate the "security" fixes. One such example is OpenBSD's src/usr.bin/rsh/rsh.c, where an apparent security fix was committed in a revision containing the following log message: ---------------------------- revision 1.5 date: 1996/07/22 10:09:04; author: deraadt; state: Exp; lines: +2 -7 rcsid cleanup ---------------------------- The change, was to drop the effective uid set by exec'ing rsh. (One has to wonder _why_ this was done, given that the code path just does and exec's rlogin, which it setuid-root anyhow...) Care to explain? You mean this change? ---------------------------- revision 1.5 date: 1996/07/22 10:09:04; author: deraadt; state: Exp; lines: +2 -7 rcsid cleanup ---------------------------- Index: rsh.c =================================================================== RCS file: /cvs/src/usr.bin/rsh/rsh.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- rsh.c 1996/06/26 05:38:49 1.4 +++ rsh.c 1996/07/22 10:09:04 1.5 @@ -1,4 +1,4 @@ -/* $OpenBSD: rsh.c,v 1.4 1996/06/26 05:38:49 deraadt Exp $ */ +/* $OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $ */ /*- * Copyright (c) 1983, 1990 The Regents of the University of California. @@ -41,13 +41,8 @@ #ifndef lint /*static char sccsid[] = "from: @(#)rsh.c 5.24 (Berkeley) 7/1/91";*/ -static char rcsid[] = "$OpenBSD: rsh.c,v 1.4 1996/06/26 05:38:49 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $"; #endif /* not lint */ - -/* - * $Source: /cvs/src/usr.bin/rsh/rsh.c,v $ - * $Header: /cvs/src/usr.bin/rsh/rsh.c,v 1.4 1996/06/26 05:38:49 deraadt Exp $ - */ #include <sys/types.h> #include <sys/socket.h> I suspect you instead are referring to: ---------------------------- revision 1.6 date: 1996/07/24 17:31:08; author: deraadt; state: Exp; lines: +3 -2 normal uid before execv ---------------------------- Index: rsh.c =================================================================== RCS file: /cvs/src/usr.bin/rsh/rsh.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- rsh.c 1996/07/22 10:09:04 1.5 +++ rsh.c 1996/07/24 17:31:08 1.6 @@ -1,4 +1,4 @@ -/* $OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $ */ +/* $OpenBSD: rsh.c,v 1.6 1996/07/24 17:31:08 deraadt Exp $ */ /*- * Copyright (c) 1983, 1990 The Regents of the University of California. @@ -41,7 +41,7 @@ #ifndef lint /*static char sccsid[] = "from: @(#)rsh.c 5.24 (Berkeley) 7/1/91";*/ -static char rcsid[] = "$OpenBSD: rsh.c,v 1.5 1996/07/22 10:09:04 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: rsh.c,v 1.6 1996/07/24 17:31:08 deraadt Exp $"; #endif /* not lint */ #include <sys/types.h> @@ -163,6 +163,7 @@ if (!argv[optind]) { if (asrsh) *argv = "rlogin"; + setuid(getuid()); execv(_PATH_RLOGIN, argv); (void)fprintf(stderr, "rsh: can't exec %s.\n", _PATH_RLOGIN); exit(1); Can't you read CVS output? I am not going to explain the patch. -- This space not left unintentionally unblank. deraadt@theos.com www.OpenBSD.org -- We're fixing security problems so you can sleep at night.