*BSD News Article 94430


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.internetmci.com!uuneo.neosoft.com!web.nmti.com!peter
From: peter@nmti.com (Peter da Silva)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: *BSD* Security WWW/Mailing List?
Supersedes: <5jqtis$mmm@web.nmti.com>
Date: 25 Apr 1997 18:37:05 GMT
Organization: Network/development platform support, NMTI
Lines: 39
Message-ID: <5jqtkh$mmo@web.nmti.com>
References: <3356E1CC.299E@softway.com.au> <slrn5ltb2l.br4.tqbf@char-star.rdist.org> <5jo5m4$f9v@web.nmti.com> <slrn5m0dbf.jsb.tqbf@char-star.rdist.org>
NNTP-Posting-Host: sonic.nmti.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6756 comp.unix.bsd.misc:3092 comp.security.unix:34031


In article <slrn5m0dbf.jsb.tqbf@char-star.rdist.org>,
Thomas H. Ptacek <tqbf@enteract.com> wrote:
> Every SUID program on my system is statically linked, and I am still
> vulnerable to security problems in the runtime support!

Fair enough. BTW, according to CERT AIX has a similar problem.

> OpenBSD has a simple, effective solution to this problem; when execve()
> changes the effective UID/GID due to a SUID/SGID bit on an executable, it
> sets a process table flag. They then have a system call that returns the
> value of this flag, called "issetugid".

That's useful, but not good enough. It doesn't protect programs called from
a daemon, for example, as in the well known telnetd/login hole, or crontab
type attacks, or stuff called from a webserver, ...

> Nothing the application-level code can do will cause this test to return
> false when the program is SUID. This is not the case for runtime UID/EUID
> checks.

But during the execution of the code we're looking at, no end-user code
can run before it's complete. So having *it* check the euid/ruid and the
owner of the library is just as effective as having it look at the owner
of the library. More so, because it protects children of privileged programs
as well.

Something like the SCO "login UID" concept would help as well. That's
something that can only be set when UID==0 and can never be set again...
if euid != luid then you know you're setuid no matter how far down the
chain you get.

Yeh, I know, it's not politically correct to say nice things about SCO.

But it's a neat hack anyway.
-- 
           The Reverend Peter da Silva, ULC, COQO, BOFH, KIBO.

Har du kramat din varg, idag? `-_-'                            Vi er alle Kibo.
                                                            Wir alle sind Kibo.