From owner-freebsd-security  Mon Sep  2 11:06:56 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA04710
          for security-outgoing; Mon, 2 Sep 1996 11:06:56 -0700 (PDT)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA04705
          for <freebsd-security@freebsd.org>; Mon, 2 Sep 1996 11:06:54 -0700 (PDT)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id LAA00360 for freebsd-security@freebsd.org; Mon, 2 Sep 1996 11:06:57 -0700
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199609021806.LAA00360@kdat.calpoly.edu>
Subject: user_wrapper available for testing
To: freebsd-security@freebsd.org
Date: Mon, 2 Sep 1996 11:06:56 -0700 (PDT)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Jian-Da Li <jdli@freebsd.csie.nctu.edu.tw> said:
>         The user_wrapper is a user-based access control which allows each
> 	user to have personal tcp_wrapper-like access control.
> 
> 	You can get it from :
> 	ftp://freebsd.csie.nctu.edu.tw/pub/jdli/collect/user_wrapper.tgz
> 
> ====== From README ========
> 
> *       Related files: (mode should set to 0600)
>         ~/.hosts.allow : allow rules
>         ~/.hosts.deny : deny rules
>         ~/.refused-log : refused log
> 
> *       Keywords currently available:
>         1. login : control telnetd/rlogind or anything use /usr/bin/login
>         2. ftpd
>         3. rshd
>         4. su : allow who can su to your account

Sounds like an interesting package.  But before it is merged into FreeBSD,
I'd like people to make sure of at least the following:

   * Does it open any config files as root?  Users can read root-owned files
     then.

   * Does it write to .refused-log as anything other than the user that owns
     the directory?  What about SysV systems where people can chown files/dirs
     to others?  Does it make sure that the user owns .refused-log and it's not
     a symlink before writing?

   * Does it properly switch uid's (including saved id) before parsing the
     user's hosts.{allow,deny} files?  If not, users can execute binaries as
     root using the twist= functionality of tcp_wrappers.

   * Does it properly close all open descriptors before parsing the files?  If
     not, it is possible that the twist= functionality could be used to read
     and/or write to various files.

   * If it does drop privileges, is it at a time when the user can use ptrace
     to attach to the executable and modify it?

In short, what I am asking is has anybody really thought about what the security
implications of this are?  Tcp_wrappers was designed with the assumption that it
would be managed by root, and that any attacks would be coming from the network
(as it does not depend on any user-owned or accessible files).

Making it a user-level and user-managed program opens up a lot more security
concerns than I stated above.  Let's be sure it's been evaluated properly before
adding this neat feature.

Thanks,
-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Senior                    evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854