*BSD News Article 94635

Return to BSD News archive 

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!uunet!in1.uu.net!206.109.2.48!bonkers!web.nmti.com!peter
From: peter@nmti.com (Peter da Silva)
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: 28 Apr 1997 16:34:57 GMT
Organization: Network/development platform support, NMTI
Lines: 41
Message-ID: <5k2jjh$6h0@web.nmti.com>
References: <3356E1CC.299E@softway.com.au> <slrn5m0dbf.jsb.tqbf@char-star.rdist.org> <5jqtkh$mmo@web.nmti.com> <DERAADT.97Apr26131201@zeus.pacifier.com>
NNTP-Posting-Host: sonic.nmti.com
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6779 comp.unix.bsd.misc:3110 comp.security.unix:34109

In article <DERAADT.97Apr26131201@zeus.pacifier.com>,
Theo de Raadt <deraadt@theos.com> wrote:
> In article <5jqtkh$mmo@web.nmti.com> peter@nmti.com (Peter da Silva) writes:
>    That's useful, but not good enough. It doesn't protect programs called from
>    a daemon, for example, as in the well known telnetd/login hole, or crontab
>    type attacks, or stuff called from a webserver, ...

> Any security-conscious program which is going to start a sub-process
> is required to do a cleanup on it's child's capabilities (environment,
> uids, gids, grouplist, open files, etc).

Agreed, but that cleanup can be very complex.

For example in the case of telnetd it's explicitly passed things like
TERM and DISPLAY and expected to pass those on... and those are things
that get looked at from runtime libraries... lovely places to put a
buffer overflow attack.

For another example, the whole point of CGI is to pass info from an
insecure environment. It takes a lot of semantic knowledge of that info
to know how to clean it up.

So you end up with very complex code vetting this stuff. And complexity
breeds bugs.

I think you still need to make sure that the subprocess is as solid as
possible. 

If I may be permitted an aside, it's like the whole "Java Security" issue.
The idea is that the input is vetted before feeding it to the Java
interpreter, rather than limiting what the Java interpreter can do. I'd
feel a lot safer if Java itself was restricted in its capabilities.

And then there's ActiveX, but now we're getting pretty far from BSD.

(thank god)
-- 
           The Reverend Peter da Silva, ULC, COQO, BOFH, KIBO.

Har du kramat din varg, idag? `-_-'                            Vi er alle Kibo.
                                                            Wir sind alle Kibo.