*BSD News Article 94192


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.enteract.com!newsfeed.enteract.com!tqbf
From: tqbf@char-star.rdist.org (Thomas H. Ptacek)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 22 Apr 1997 18:09:30 GMT
Organization: EnterAct, L.L.C.
Lines: 64
Message-ID: <slrn5lpvmq.1hm.tqbf@char-star.rdist.org>
References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@freebsd.org>  <DERAADT.97Apr18181055@zeus.pacifier.com>  <slrn5li6bf.rjd.tqbf@char-star.rdist.org> <5jd1jt$m30@web.nmti.com>  <slrn5ll06k.kd3.tqbf@char-star.rdist.org> <5jhur6$51u@innocence.interface-business.de>
Reply-To: tqbf@enteract.com
NNTP-Posting-Host: char-star.rdist.org
X-Newsreader: slrn (0.9.1.1 BETA UNIX)
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6722 comp.unix.bsd.misc:3062 comp.security.unix:33879


22 Apr 1997 09:02:30 GMT j@ida.interface-business.de:
>You wrote about "operating system" first, and i seem to remember that
>some (early) SVR4 version had an at least as wide security hole in
>that they allowed for LD_LIBRARY_PATH even for set[ug]id binaries.

In 4.4BSD, this would be an ld.so problem, not a crt0 start() problem. 
FreeBSD maps ld.so into memory, duplicating, in effect, an execution of
the program. LD_* variables are unused in the C runtime library in
FreeBSD. Perhaps early SVR4 revisions embed the entire dynamic linker in
start(), in which case I am mistaken in my assertion and I apologize.

I doubt that's the case, though, so I think my assertion (FreeBSD being
the only operating system to have a published hole in crt0 start(), a
claim which is unaffected by your statement regarding SVR4) is correct.

The hole occurred because of a FreeBSD enhancement for localization that
wasn't programmed carefully, and effectively dragged an extremely messy
library into privileged code. There are other examples of FreeBSD
enhancements seriously compromising security (how about the terminal type
in /etc/ttys? I note that no announcement has ever been released about the
effectiveness of securelevels on afflicted systems.)

>Btw., to be fair you should also notice that NetBSD simply didn't pay
>any attention to localization.  

2 points for NetBSD. I don't think anyone who has been compromised because
of localization bugs feels that the system was worth it. Then again, I
don't think many of the people that were broken into know what
localization is. 

>OpenBSD started after FreeBSD 2.1, so
>they could already learn from our mistakes.  

This is simply not the case. The crt0 bug was published after 2.2 was
released. OpenBSD was never vulnerable to the hole; Mr. Assange's
apocolyptic comment about the horrors of BSD locales probably provoked an
audit of that code months before anyone thought to tie it to start().

>There's absolutely no
>reason for you to get malicious about us here.  Unless you are God

I'm not being malicious; I'm being frank. People "affiliated" with FreeBSD
have decided to state that OpenBSD has a negligible security advantage
over FreeBSD - I find this ludicrous and misleading. I use and appreciate
FreeBSD as a stable, fast server operating system. I do not, however, have
any misconceptions that it's suitable for anything sensitive. 

>(who is by definition unfailable), you also occasionally make
>mistakes.  I simply dislike your attitude.

I apologize if my statements about FreeBSD have caused you to decide that
I am claiming to be God. I am certainly not infallible, and I apologize if
I have mistakenly asserted that I am. I do not quite understand your
assessment of my "attitude" - although that's perhaps an issue not best
pursued on comp.security.unix.

Thanks for your input.

-- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));