Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.enteract.com!newsfeed.enteract.com!tqbf From: tqbf@char-star.rdist.org (Thomas H. Ptacek) Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix Subject: Re: *BSD* Security WWW/Mailing List? Date: 25 Apr 1997 19:54:33 GMT Organization: EnterAct, L.L.C. Lines: 51 Message-ID: <slrn5m22vo.gfb.tqbf@char-star.rdist.org> References: <3356E1CC.299E@softway.com.au> <slrn5ltb2l.br4.tqbf@char-star.rdist.org> <5jo5m4$f9v@web.nmti.com> <slrn5m0dbf.jsb.tqbf@char-star.rdist.org> <5jqtkh$mmo@web.nmti.com> Reply-To: tqbf@enteract.com NNTP-Posting-Host: char-star.rdist.org X-Newsreader: slrn (0.9.1.1 BETA UNIX) Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6757 comp.unix.bsd.misc:3093 comp.security.unix:34034 25 Apr 1997 18:37:05 GMT peter@nmti.com: >> Every SUID program on my system is statically linked, and I am still >> vulnerable to security problems in the runtime support! >Fair enough. BTW, according to CERT AIX has a similar problem. CERT announced that AIX had an NLS support problem. Just because FreeBSD happened to have managed to land their version of a widespread hole in crt0 doesn't mean that everyone else did. =) >That's useful, but not good enough. It doesn't protect programs called from >a daemon, for example, as in the well known telnetd/login hole, or crontab >type attacks, or stuff called from a webserver, ... Ignoring the last of those, I agree with you. I've been on Theo's case about a "secureprocess()" system call (actually, I've been promising to do it for Theo, so I shouldn't complain) that would flip the "secure" bit in the proc structure to fix exactly this kind of problem. The flag is inherited, however, so daemons called from inetd can potentially be covered by setting inetd SUID and not world/group executable. I'm all for kernel enhancements to get around these sorts of problems. I suggested to Theo awhile back that we add a void pointer to the end of the proc structure so we could implement wacky changes without recompiling the entire user codebase; he was less than enthusiastic. I've found that, in general, people are trying to get as much done with what we have. >But during the execution of the code we're looking at, no end-user code >can run before it's complete. So having *it* check the euid/ruid and the Yeah, Theo pointed this out to me during the crt0/locale hole discussion (specifically, given that FreeBSD doesn't have an issetugid syscall, similar functionality can be obtained by setting the flag somewhere in process VM from crt0). I think a generic "hey, I'm sensitive code!" flag in the kernel is useful, and I'd like to see everyone support it, but in the absence of a real fix... =) >of the library. More so, because it protects children of privileged programs >as well. The process flag is inherited. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));