*BSD News Article 94592


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!EU.net!main.Germany.EU.net!Dortmund.Germany.EU.net!interface-business.de!usenet
From: j@ida.interface-business.de (J Wunsch)
Newsgroups: comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 28 Apr 1997 12:54:34 GMT
Organization: interface business GmbH, Dresden
Lines: 71
Message-ID: <5k26ma$mr0@innocence.interface-business.de>
References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@freebsd.org>
  <DERAADT.97Apr18181055@zeus.pacifier.com>
  <slrn5li6bf.rjd.tqbf@char-star.rdist.org> <5jd1jt$m30@web.nmti.com>
  <slrn5ll06k.kd3.tqbf@char-star.rdist.org>
  <5jhur6$51u@innocence.interface-business.de>
  <slrn5lpvmq.1hm.tqbf@char-star.rdist.org>
  <5jl4b3$clb@innocence.interface-business.de>
  <slrn5lt11e.ela.tqbf@char-star.rdist.org>
Reply-To: joerg_wunsch@interface-business.de (Joerg Wunsch)
NNTP-Posting-Host: ida.interface-business.de
X-Newsreader: knews 0.9.6
X-Phone: +49-351-31809-14
X-Fax: +49-351-3361187
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.misc:3104 comp.security.unix:34090


tqbf@char-star.rdist.org (Thomas H. Ptacek) wrote:

> >Besides, /etc/ttys being in the domain of the system administrator, so
> >whatever it might be, it's at least one order of magnitude less
> >critical.
> 
> Uh. It completely breaks securelevels. I think that's fairly critical.
> Don't you? As stated months ago (I again note that no announcement was
> made regarding this problem), PID 1 can lower the securelevel (few people
> realize this).

I didn't realize this either.  I personally think that's not a good
idea at all.  If you intend to do system maintenance, you can as well
reboot the machine into single-user mode, as opposed to shutting it
down into single-user (presumably the only reason why PID 1 is allowed
to lower the securelevel).

What do you think?

> /sbin/init, running on most systems at PID 1, has a stack
> overflow involving a gettyent() pulling in an overly-long terminal type
> from /etc/ttys. 
> 
> I don't think this is an "order of magnitude" less critical than anything.

It's an order of magnitude less critical than the crt0 problem, since
it's still restricted to people with root privilege.  If somebody can
gain unauthorized root privs, _there_ is the problem.

> >securelevel 2.  I think the biggest omission from the securelevel
> >checks is for /dev/io, which has only recently been changed to
> 
> Pretty humorous, neh? I don't suppose any of you have bothered to ask Mr.
> de Raadt about other potential problems with securelevels? He is, as you

I'm not in a position to ask Mr. de Raadt anything, sorry.  Last time
i did (and suggested him to submit his enhancements to phkmalloc to
the author, after him publically complaining that the FreeBSD team
were ignoring his modifications), i've got such a rude reply (for no
other reason than being a member of the FreeBSD development team,
apparently) that i've now put this case aside as being hopeless.  It's
sad, but i cannot change it.  No, unlike somebody we both know, i'm
not going to post private mail in public.

> >months before however.  It's only that this change never made it back
> >to the 2.1 branch.
> 
> That's not true. As I stated when I alerted you to the problem in the
> first place, 2.2 was, at the time, completely vulnerable as well.

But you was wrong with this.  The library bug was still there, but not
the crt0 hole.

The library code itself was inherited from CSRG, as you certainly know
as well.

----------------------------
revision 1.21
date: 1995/11/02 12:42:42;  author: ache;  state: Exp;  lines: +1 -12
Remove my locale hack. Sigh.
----------------------------

This doesn't exactly predate the foundation of OpenBSD, but it was
less than one month after this foundation (according to the checkin
date of CVS's ``modules'' file on 1995/10/14), and quite some time
before OpenBSD started to concentrate on security issues.

-- 
J"org Wunsch					       Unix support engineer
joerg_wunsch@interface-business.de       http://www.interface-business.de/~j