*BSD News Article 94459


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.enteract.com!newsfeed.enteract.com!tqbf
From: tqbf@char-star.rdist.org (Thomas H. Ptacek)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 25 Apr 1997 19:54:33 GMT
Organization: EnterAct, L.L.C.
Lines: 51
Message-ID: <slrn5m22vo.gfb.tqbf@char-star.rdist.org>
References: <3356E1CC.299E@softway.com.au> <slrn5ltb2l.br4.tqbf@char-star.rdist.org> <5jo5m4$f9v@web.nmti.com> <slrn5m0dbf.jsb.tqbf@char-star.rdist.org> <5jqtkh$mmo@web.nmti.com>
Reply-To: tqbf@enteract.com
NNTP-Posting-Host: char-star.rdist.org
X-Newsreader: slrn (0.9.1.1 BETA UNIX)
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6757 comp.unix.bsd.misc:3093 comp.security.unix:34034


25 Apr 1997 18:37:05 GMT peter@nmti.com:
>> Every SUID program on my system is statically linked, and I am still
>> vulnerable to security problems in the runtime support!

>Fair enough. BTW, according to CERT AIX has a similar problem.

CERT announced that AIX had an NLS support problem. Just because FreeBSD
happened to have managed to land their version of a widespread hole in
crt0 doesn't mean that everyone else did. =)

>That's useful, but not good enough. It doesn't protect programs called from
>a daemon, for example, as in the well known telnetd/login hole, or crontab
>type attacks, or stuff called from a webserver, ...

Ignoring the last of those, I agree with you. I've been on Theo's case
about a "secureprocess()" system call (actually, I've been promising to
do it for Theo, so I shouldn't complain) that would flip the "secure" bit
in the proc structure to fix exactly this kind of problem.

The flag is inherited, however, so daemons called from inetd can
potentially be covered by setting inetd SUID and not world/group
executable. 

I'm all for kernel enhancements to get around these sorts of problems. I
suggested to Theo awhile back that we add a void pointer to the end of
the proc structure so we could implement wacky changes without
recompiling the entire user codebase; he was less than enthusiastic. I've
found that, in general, people are trying to get as much done with what
we have.

>But during the execution of the code we're looking at, no end-user code
>can run before it's complete. So having *it* check the euid/ruid and the

Yeah, Theo pointed this out to me during the crt0/locale hole discussion
(specifically, given that FreeBSD doesn't have an issetugid syscall,
similar functionality can be obtained by setting the flag somewhere in
process VM from crt0). I think a generic "hey, I'm sensitive code!" flag
in the kernel is useful, and I'd like to see everyone support it, but in
the absence of a real fix... =)

>of the library. More so, because it protects children of privileged programs
>as well.

The process flag is inherited.

-- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));