Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.internetmci.com!uuneo.neosoft.com!web.nmti.com!peter From: peter@nmti.com (Peter da Silva) Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix Subject: *BSD* Security WWW/Mailing List? Supersedes: <5jqtis$mmm@web.nmti.com> Date: 25 Apr 1997 18:37:05 GMT Organization: Network/development platform support, NMTI Lines: 39 Message-ID: <5jqtkh$mmo@web.nmti.com> References: <3356E1CC.299E@softway.com.au> <slrn5ltb2l.br4.tqbf@char-star.rdist.org> <5jo5m4$f9v@web.nmti.com> <slrn5m0dbf.jsb.tqbf@char-star.rdist.org> NNTP-Posting-Host: sonic.nmti.com Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6756 comp.unix.bsd.misc:3092 comp.security.unix:34031 In article <slrn5m0dbf.jsb.tqbf@char-star.rdist.org>, Thomas H. Ptacek <tqbf@enteract.com> wrote: > Every SUID program on my system is statically linked, and I am still > vulnerable to security problems in the runtime support! Fair enough. BTW, according to CERT AIX has a similar problem. > OpenBSD has a simple, effective solution to this problem; when execve() > changes the effective UID/GID due to a SUID/SGID bit on an executable, it > sets a process table flag. They then have a system call that returns the > value of this flag, called "issetugid". That's useful, but not good enough. It doesn't protect programs called from a daemon, for example, as in the well known telnetd/login hole, or crontab type attacks, or stuff called from a webserver, ... > Nothing the application-level code can do will cause this test to return > false when the program is SUID. This is not the case for runtime UID/EUID > checks. But during the execution of the code we're looking at, no end-user code can run before it's complete. So having *it* check the euid/ruid and the owner of the library is just as effective as having it look at the owner of the library. More so, because it protects children of privileged programs as well. Something like the SCO "login UID" concept would help as well. That's something that can only be set when UID==0 and can never be set again... if euid != luid then you know you're setuid no matter how far down the chain you get. Yeh, I know, it's not politically correct to say nice things about SCO. But it's a neat hack anyway. -- The Reverend Peter da Silva, ULC, COQO, BOFH, KIBO. Har du kramat din varg, idag? `-_-' Vi er alle Kibo. Wir alle sind Kibo.