Date: Mon, 2 Sep 1996 11:06:56 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: freebsd-security@freebsd.org Subject: user_wrapper available for testing Message-ID: <199609021806.LAA00360@kdat.calpoly.edu>
next in thread | raw e-mail | index | archive | help
Jian-Da Li <jdli@freebsd.csie.nctu.edu.tw> said: > The user_wrapper is a user-based access control which allows each > user to have personal tcp_wrapper-like access control. > > You can get it from : > ftp://freebsd.csie.nctu.edu.tw/pub/jdli/collect/user_wrapper.tgz > > ====== From README ======== > > * Related files: (mode should set to 0600) > ~/.hosts.allow : allow rules > ~/.hosts.deny : deny rules > ~/.refused-log : refused log > > * Keywords currently available: > 1. login : control telnetd/rlogind or anything use /usr/bin/login > 2. ftpd > 3. rshd > 4. su : allow who can su to your account Sounds like an interesting package. But before it is merged into FreeBSD, I'd like people to make sure of at least the following: * Does it open any config files as root? Users can read root-owned files then. * Does it write to .refused-log as anything other than the user that owns the directory? What about SysV systems where people can chown files/dirs to others? Does it make sure that the user owns .refused-log and it's not a symlink before writing? * Does it properly switch uid's (including saved id) before parsing the user's hosts.{allow,deny} files? If not, users can execute binaries as root using the twist= functionality of tcp_wrappers. * Does it properly close all open descriptors before parsing the files? If not, it is possible that the twist= functionality could be used to read and/or write to various files. * If it does drop privileges, is it at a time when the user can use ptrace to attach to the executable and modify it? In short, what I am asking is has anybody really thought about what the security implications of this are? Tcp_wrappers was designed with the assumption that it would be managed by root, and that any attacks would be coming from the network (as it does not depend on any user-owned or accessible files). Making it a user-level and user-managed program opens up a lot more security concerns than I stated above. Let's be sure it's been evaluated properly before adding this neat feature. Thanks, -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609021806.LAA00360>