From owner-freebsd-security@FreeBSD.ORG Tue Jun 1 09:03:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF3F916A4CE for ; Tue, 1 Jun 2004 09:03:06 -0700 (PDT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6042A43D5D for ; Tue, 1 Jun 2004 09:03:04 -0700 (PDT) (envelope-from freebsd-security-local@be-well.ilk.org) Received: from be-well.no-ip.com ([66.30.196.44]) by comcast.net (sccrmhc11) with ESMTP id <20040601160302011009h2n8e>; Tue, 1 Jun 2004 16:03:03 +0000 Received: by be-well.no-ip.com (Postfix, from userid 1147) id E45BC12; Tue, 1 Jun 2004 12:03:01 -0400 (EDT) Sender: lowell@be-well.ilk.org To: "bofn" References: From: Lowell Gilbert Date: 01 Jun 2004 12:03:01 -0400 In-Reply-To: Message-ID: <44u0xvnu4q.fsf@be-well.ilk.org> Lines: 42 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: X & securelevel=3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jun 2004 16:03:06 -0000 "bofn" writes: > running (4-Stable) > > Hi, > > short form question: > how does one run XDM under securelevel>0 ? > > long version: > i've searched for an answer on how to run Xfree/Xorg at a securelevel > the X server likes access to /dev/io and some other resources but is not > granted access after security is switched on. > one way of doing it seems to be to start it before setting the securelevel, but > then is doesnt allow a restart of X. > the other option seems to be the Aperture patch, ported in 2001 with no recent > updates and no longer usable against the current software. You understand the situation just fine. The real question is what you hope securelevels will do for you if you are allowing a userland process to access arbitrary memory, as X does. > 2nd part of the question.. > cd writing needs direct access to /dev/ and that is also not allowed in > secure more. > how can one give selective access to only allow (RW) access to one or two > devices ? You can't. > if there is no way of doing these things with configs and such, can anyone > point me at the relevant source code that controls these functions so i can add > this specific functionality. That would probably be the platform-dependent mem.c and sys_machdep.c files; I think you may need to worry about the spigot and vnops opens as well (and probably ioctls). I don't think it's worth worrying about, though; it would be very hard to make it bulletproof, and for fairly little gain. Securelevels are a very narrowly focused tool; they are not intended to be a magic bullet for security. From owner-freebsd-security@FreeBSD.ORG Tue Jun 1 14:27:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A334816A4CE for ; Tue, 1 Jun 2004 14:27:19 -0700 (PDT) Received: from sqnork.irq.org (q.xs4all.nl [194.109.236.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23ECB43D4C for ; Tue, 1 Jun 2004 14:27:18 -0700 (PDT) (envelope-from bofn@sqnork.irq.org) Received: by sqnork.irq.org (CommuniGate Pro PIPE 4.1.8) with PIPE id 3715342; Tue, 01 Jun 2004 23:27:15 +0200 X-MailScan: 7564953-0808528408 Received: from [203.97.83.98] (account bofn@sqnork.irq.org) by sqnork.irq.org (CommuniGate Pro WebUser 4.1.8) with HTTP id 3715336; Tue, 01 Jun 2004 23:27:10 +0200 From: "bofn" To: Lowell Gilbert X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8 Date: Tue, 01 Jun 2004 23:27:10 +0200 Message-ID: In-Reply-To: <44u0xvnu4q.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: X & securelevel=3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jun 2004 21:27:19 -0000 On 01 Jun 2004 12:03:01 -0400 Lowell Gilbert wrote > "bofn" writes: > > > running (4-Stable) > > > > Hi, > > > > short form question: > > how does one run XDM under securelevel>0 ? > > > > long version: > > i've searched for an answer on how to run Xfree/Xorg at a securelevel > > the X server likes access to /dev/io and some other resources but is not > > granted access after security is switched on. > > one way of doing it seems to be to start it before setting the securelevel, > but > > then is doesnt allow a restart of X. > > the other option seems to be the Aperture patch, ported in 2001 with no > recent > > updates and no longer usable against the current software. > > You understand the situation just fine. The real question is what you > hope securelevels will do for you if you are allowing a userland > process to access arbitrary memory, as X does. the idea is to limit the options for possible intruders and users who like to play to much. but at the same time provide a GUI work place for the users. > > 2nd part of the question.. > > cd writing needs direct access to /dev/ and that is also not allowed > in > > secure more. > > how can one give selective access to only allow (RW) access to one or two > > devices ? > > You can't. > > > if there is no way of doing these things with configs and such, can anyone > > point me at the relevant source code that controls these functions so i can > add > > this specific functionality. > > That would probably be the platform-dependent mem.c and sys_machdep.c > files; I think you may need to worry about the spigot and vnops > opens as well (and probably ioctls). I don't think it's worth > worrying about, though; it would be very hard to make it bulletproof, > and for fairly little gain. > Securelevels are a very narrowly focused tool; they are not intended > to be a magic bullet for security. i'm not looking for the 'fix all problems' solution, just a way to lock down the system a bit more with out losing functionality for the users. is there a better way to get this done, with out turning it into a sysadmin nightmare like ACL's tend to ? //j From owner-freebsd-security@FreeBSD.ORG Wed Jun 2 04:13:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2F5A16A4CF for ; Wed, 2 Jun 2004 04:13:55 -0700 (PDT) Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.8.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id AECEB43D2F for ; Wed, 2 Jun 2004 04:13:54 -0700 (PDT) (envelope-from kheuer2@gwdg.de) Received: from gwdu60.gwdg.de (localhost [127.0.0.1]) by gwdu60.gwdg.de (8.12.11/8.12.8) with ESMTP id i52BDeUZ002812 for ; Wed, 2 Jun 2004 13:13:40 +0200 (CEST) (envelope-from kheuer2@gwdg.de) Received: from localhost (kheuer2@localhost)i52BDec6002809 for ; Wed, 2 Jun 2004 13:13:40 +0200 (CEST) X-Authentication-Warning: gwdu60.gwdg.de: kheuer2 owned process doing -bs Date: Wed, 2 Jun 2004 13:13:40 +0200 (CEST) From: Konrad Heuer To: freebsd-security@freebsd.org Message-ID: <20040602130700.P1201@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: xdm security hole X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 11:13:55 -0000 Hi everyone, every comment about this: http://xforce.iss.net/xforce/xfdb/16264 Didn't find any hint or patch on http://www.xfree86.org/security/. Best regards Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ GWDG / __/______ ___ / _ )/ __/ _ \ Am Fassberg / _// __/ -_) -_) _ |\ \/ // / 37077 Goettingen /_/ /_/ \__/\__/____/___/____/ Germany From owner-freebsd-security@FreeBSD.ORG Wed Jun 2 04:18:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09C9716A4CE for ; Wed, 2 Jun 2004 04:18:55 -0700 (PDT) Received: from punky.seifried.org (punky.seifried.org [216.194.67.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id B472443D1D for ; Wed, 2 Jun 2004 04:18:54 -0700 (PDT) (envelope-from listuser@seifried.org) Received: from pooptop (localhost.seifried.org [127.0.0.1]) by punky.seifried.org (Postfix) with SMTP id CC30B218031; Wed, 2 Jun 2004 05:18:45 -0600 (MDT) Message-ID: <002101c44893$5afdc770$1600110a@pooptop> From: "Kurt Seifried" To: "Konrad Heuer" , References: <20040602130700.P1201@gwdu60.gwdg.de> Date: Wed, 2 Jun 2004 05:18:39 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: xdm security hole X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kurt Seifried List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 11:18:55 -0000 > Hi everyone, > > every comment about this: > > http://xforce.iss.net/xforce/xfdb/16264 > > Didn't find any hint or patch on http://www.xfree86.org/security/. > > Best regards > > Konrad Heuer (kheuer2@gwdg.de) ____ ___ _______ There's a patch from the OpenBSD project: http://www.openbsd.org/errata.html And I know Red Hat has acknowledged the flaw in Fedora. I don't know if FreeBSD is affected (X 4.3.0 later? IPv6 backported?) Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ From owner-freebsd-security@FreeBSD.ORG Wed Jun 2 12:46:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D306916A4CE for ; Wed, 2 Jun 2004 12:46:56 -0700 (PDT) Received: from mail1.itu.edu.tr (mail1.itu.edu.tr [160.75.2.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C821843D46 for ; Wed, 2 Jun 2004 12:46:55 -0700 (PDT) (envelope-from nebi@itu.edu.tr) Received: from ao058 (ao058.cc.itu.edu.tr [160.75.5.58]) by mail1.itu.edu.tr (8.12.11/8.12.11) with ESMTP id i52Jl5Tl004471 for ; Wed, 2 Jun 2004 22:47:05 +0300 Message-Id: <200406021947.i52Jl5Tl004471@mail1.itu.edu.tr> From: "Nebi Gurbanov" To: Date: Wed, 2 Jun 2004 22:46:56 +0300 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Thread-Index: AcRI2lycIG57TGU7QFeEO3cJzBg0hg== X-yoursite-MailScanner-Information: Please contact the ISP for more information X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.81, required 6, HTML_30_40 0.81, HTML_MESSAGE 0.00) X-MailScanner-From: nebi@itu.edu.tr Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: How to configure applications so that they could use hardware ssl accelerator X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 19:46:57 -0000 Greetings, i came accross some comments about hardware ssl accelerator use under *nix in this list , and applied some of this information (which are post approximately 2 months ago) successfully to make apache to use hardware ssl accelerator . To do so i just wrote "SSLCryptoDevice ubsec" option to my httpd.conf and httpd started to use my Broadcom accelerator . But i still have problem , since i cannot make imaps , pops to use hardware ssl accelerator . I guess some guys in this list may have information about the usage of ssl accelerator with imaps ,pops applications (which are run under xinetd in RedHat AS 3.0) . Thanks in advance for your comments .. From owner-freebsd-security@FreeBSD.ORG Fri Jun 4 12:54:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2ACDB16A4CE for ; Fri, 4 Jun 2004 12:54:45 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF6A543D31 for ; Fri, 4 Jun 2004 12:54:44 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-187-112.client.comcast.net[24.6.187.112]) by comcast.net (sccrmhc12) with ESMTP id <20040604195344012001oio6e>; Fri, 4 Jun 2004 19:53:44 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.11/8.12.8) with ESMTP id i54JrdwE050425 for ; Fri, 4 Jun 2004 12:53:43 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.11/8.12.11/Submit) id i54JrcfS050424 for freebsd-security@freebsd.org; Fri, 4 Jun 2004 12:53:38 -0700 (PDT) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 4 Jun 2004 12:53:38 -0700 From: "Crist J. Clark" To: freebsd-security@freebsd.org Message-ID: <20040604195338.GA50275@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-URL: http://people.freebsd.org/~cjc/ Subject: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jun 2004 19:54:45 -0000 --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I made a quick change to syslogd(8) so that it can drop root privileges immediately after starting up. It opens up the log sockets (UNIX and network domains) and writes the PID files before dropping privs. It drops privs before openning log files and writing to users. Therefore, you would need to modify your log file permissions appropriately. As for writing to users, ttys generally are writeable by group tty. The UID chosen to run syslogd as should be in this group if this feature is desired. We haven't had many syslogd(8) vulnerabilities lately, but one less daemon running as root seems like a Good Thing. I do not see any drawbacks from a security point of view. The log files would have to be owned, or otherwise writeable, by this other user, but so what. Obviously, I may be missing something. Any interest in this? Let me know if you try it out and any successes or failures. Patches! CURRENT and RELENG_4 version attached. The documentation is included as a patch to the syslogd(8) man page. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="syslogd.RELENG_4" Index: src/usr.sbin/syslogd/syslogd.8 =================================================================== RCS file: /ncvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.22.2.16 diff -u -r1.22.2.16 syslogd.8 --- src/usr.sbin/syslogd/syslogd.8 12 Mar 2003 22:08:15 -0000 1.22.2.16 +++ src/usr.sbin/syslogd/syslogd.8 4 Jun 2004 19:51:55 -0000 @@ -48,6 +48,7 @@ .Op Fl m Ar mark_interval .Op Fl P Ar pid_file .Op Fl p Ar log_socket +.Op Fl U Ar user .Sh DESCRIPTION The .Nm @@ -214,6 +215,16 @@ .Dq => to .Dq = . +.It Fl U Ar user +Run as +.Ar user . +.Ar User +must be a valid user name. +This option allows the daemon to drop root privileges, but still open +privileged sockets as root at start up. +Note that privileges are dropped before log files are opened and that the +user must have privileges to write to ttys in order to send messages +to users. .It Fl v Verbose logging. If specified once, the numeric facility and priority are logged with each locally-written message. If specified more than once, Index: src/usr.sbin/syslogd/syslogd.c =================================================================== RCS file: /ncvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.59.2.28 diff -u -r1.59.2.28 syslogd.c --- src/usr.sbin/syslogd/syslogd.c 29 Feb 2004 20:59:19 -0000 1.59.2.28 +++ src/usr.sbin/syslogd/syslogd.c 4 Jun 2004 19:47:22 -0000 @@ -102,6 +102,7 @@ #include #include #include +#include #include #include #include @@ -334,9 +335,12 @@ sigset_t mask; pid_t ppid = 1; socklen_t len; + struct passwd *pw; + uid_t runAs; bindhostname = NULL; - while ((ch = getopt(argc, argv, "46Aa:b:cdf:kl:m:np:P:suv")) != -1) + runAs = getuid(); + while ((ch = getopt(argc, argv, "46Aa:b:cdf:kl:m:np:P:suU:v")) != -1) switch (ch) { case '4': family = PF_INET; @@ -393,6 +397,11 @@ case 'u': /* only log specified priority */ UniquePriority++; break; + case 'U': + if ((pw = getpwnam(optarg)) == NULL) + errx(1, "could not find user \"%s\"", optarg); + runAs = pw->pw_uid; + break; case 'v': /* log facility and priority */ LogFacPri++; break; @@ -489,6 +498,16 @@ if (fp != NULL) { fprintf(fp, "%d\n", getpid()); (void)fclose(fp); + } + + if (runAs != getuid()) { + if (setuid(runAs) == -1) { + (void)snprintf(line, sizeof(line), + "failed to change uid to %d\n", runAs); + logerror(line); + die(0); + } + dprintf("changed running uid to %d\n", runAs); } dprintf("off & running....\n"); --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="syslogd.CURRENT" Index: src/usr.sbin/syslogd/syslogd.8 =================================================================== RCS file: /export/freebsd/ncvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.50 diff -u -r1.50 syslogd.8 --- src/usr.sbin/syslogd/syslogd.8 8 Sep 2003 19:57:22 -0000 1.50 +++ src/usr.sbin/syslogd/syslogd.8 4 Jun 2004 19:53:11 -0000 @@ -48,6 +48,7 @@ .Op Fl m Ar mark_interval .Op Fl P Ar pid_file .Op Fl p Ar log_socket +.Op Fl U Ar user .Sh DESCRIPTION The .Nm @@ -219,6 +220,16 @@ .Dq => to .Dq = . +.It Fl U Ar user +Run as +.Ar user . +.Ar User +must be a valid user name. +This option allows the daemon to drop root privileges, but still open +privileged sockets as root at start up. +Note that privileges are dropped before log files are opened and that the +user must have privileges to write to ttys in order to send messages +to users. .It Fl v Verbose logging. If specified once, the numeric facility and priority are logged with each locally-written message. If specified more than once, Index: src/usr.sbin/syslogd/syslogd.c =================================================================== RCS file: /export/freebsd/ncvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.128 diff -u -r1.128 syslogd.c --- src/usr.sbin/syslogd/syslogd.c 30 May 2004 10:34:58 -0000 1.128 +++ src/usr.sbin/syslogd/syslogd.c 4 Jun 2004 16:33:14 -0000 @@ -103,6 +103,7 @@ #include #include #include +#include #include #include #include @@ -340,9 +341,12 @@ sigset_t mask; pid_t ppid = 1; socklen_t len; + struct passwd *pw; + uid_t runAs; bindhostname = NULL; - while ((ch = getopt(argc, argv, "46Aa:b:cdf:kl:m:nop:P:suv")) != -1) + runAs = getuid(); + while ((ch = getopt(argc, argv, "46Aa:b:cdf:kl:m:nop:P:suU:v")) != -1) switch (ch) { case '4': family = PF_INET; @@ -406,6 +410,11 @@ case 'u': /* only log specified priority */ UniquePriority++; break; + case 'U': + if ((pw = getpwnam(optarg)) == NULL) + errx(1, "could not find user \"%s\"", optarg); + runAs = pw->pw_uid; + break; case 'v': /* log facility and priority */ LogFacPri++; break; @@ -501,6 +510,16 @@ if (fp != NULL) { fprintf(fp, "%d\n", getpid()); (void)fclose(fp); + } + + if (runAs != getuid()) { + if (setuid(runAs) == -1) { + (void)snprintf(line, sizeof(line), + "failed to change uid to %d\n", runAs); + logerror(line); + die(0); + } + dprintf("changed running uid to %d\n", runAs); } dprintf("off & running....\n"); --OgqxwSJOaUobr8KG-- From owner-freebsd-security@FreeBSD.ORG Fri Jun 4 15:49:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9496316A4CE; Fri, 4 Jun 2004 15:49:25 -0700 (PDT) Received: from Neo-Vortex.Ath.Cx (203-217-82-108.dyn.iinet.net.au [203.217.82.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 507B643D4C; Fri, 4 Jun 2004 15:49:24 -0700 (PDT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i54MmwBQ022340; Sat, 5 Jun 2004 08:49:00 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Sat, 5 Jun 2004 08:48:58 +1000 (EST) From: Neo-Vortex To: "Crist J. Clark" In-Reply-To: <20040604195338.GA50275@blossom.cjclark.org> Message-ID: <20040605084811.O22285@Neo-Vortex.Ath.Cx> References: <20040604195338.GA50275@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jun 2004 22:49:25 -0000 On Fri, 4 Jun 2004, Crist J. Clark wrote: > We haven't had many syslogd(8) vulnerabilities lately, but one > less daemon running as root seems like a Good Thing. I do not > see any drawbacks from a security point of view. I agree there, the less, the better :) ~Neo-Vortex From owner-freebsd-security@FreeBSD.ORG Fri Jun 4 15:58:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7BF516A4CE for ; Fri, 4 Jun 2004 15:58:21 -0700 (PDT) Received: from tx2.oucs.ox.ac.uk (tx2.oucs.ox.ac.uk [163.1.2.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 926D343D4C for ; Fri, 4 Jun 2004 15:58:21 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan2.oucs.ox.ac.uk ([163.1.2.162] helo=localhost) by tx2.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1BWNdL-0008LM-JV for freebsd-security@freebsd.org; Fri, 04 Jun 2004 23:57:55 +0100 Received: from rx2.oucs.ox.ac.uk ([163.1.2.161]) by localhost (scan2.oucs.ox.ac.uk [163.1.2.162]) (amavisd-new, port 25) with ESMTP id 31864-02 for ; Fri, 4 Jun 2004 23:57:54 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx2.oucs.ox.ac.uk with smtp (Exim 4.24) id 1BWNdK-0008LJ-9L for freebsd-security@freebsd.org; Fri, 04 Jun 2004 23:57:54 +0100 Received: (qmail 31702 invoked by uid 1004); 4 Jun 2004 22:57:54 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.20 (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:1(163.1.161.131):. Processed in 0.328387 secs); 04 Jun 2004 22:57:54 -0000 Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 4 Jun 2004 22:57:54 -0000 Message-Id: <6.1.0.6.1.20040604235214.03fec120@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Fri, 04 Jun 2004 23:57:51 +0100 To: "Crist J. Clark" From: Colin Percival In-Reply-To: <20040604195338.GA50275@blossom.cjclark.org> References: <20040604195338.GA50275@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jun 2004 22:58:22 -0000 At 20:53 04/06/2004, Crist J. Clark wrote: >We haven't had many syslogd(8) vulnerabilities lately, but one >less daemon running as root seems like a Good Thing. I do not >see any drawbacks from a security point of view. The log files >would have to be owned, or otherwise writeable, by this other >user, but so what. Obviously, I may be missing something. One consideration is that if syslogd is not running as root, it will no longer be able to write to a filesystem which is already "full". On systems where non-root users can write to the filesystem containing /var/log (and are not limited by quotas) this would allow non-root users to disable logging, which would probably be a Bad Thing. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sat Jun 5 01:19:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AE1B16A4CE; Sat, 5 Jun 2004 01:19:41 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7908643D3F; Sat, 5 Jun 2004 01:19:40 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i558IpSf003177; Sat, 5 Jun 2004 18:18:51 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i558ImAC003171; Sat, 5 Jun 2004 18:18:48 +1000 (EST) From: Darren Reed Message-Id: <200406050818.i558ImAC003171@caligula.anu.edu.au> To: colin.percival@wadham.ox.ac.uk (Colin Percival) Date: Sat, 5 Jun 2004 18:18:48 +1000 (Australia/ACT) In-Reply-To: <6.1.0.6.1.20040604235214.03fec120@popserver.sfu.ca> from "Colin Percival" at Jun 04, 2004 11:57:51 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jun 2004 08:19:41 -0000 In some mail from Colin Percival, sie said: > At 20:53 04/06/2004, Crist J. Clark wrote: > >We haven't had many syslogd(8) vulnerabilities lately, but one > >less daemon running as root seems like a Good Thing. I do not > >see any drawbacks from a security point of view. The log files > >would have to be owned, or otherwise writeable, by this other > >user, but so what. Obviously, I may be missing something. > > One consideration is that if syslogd is not running as root, > it will no longer be able to write to a filesystem which is > already "full". > On systems where non-root users can write to the filesystem > containing /var/log (and are not limited by quotas) this would > allow non-root users to disable logging, which would probably > be a Bad Thing. One way or another, you can generally exploit a DoS attack against syslogd with disk space. Well at least with current sources, anyway. Lets pretend that /var/log is its own filesystem, isolated from a full /var/tmp. The attack is then to just spam syslogd with lots of data such that it fills /var/log. Granted this is harder but not impossible. How do you defend against that? Add code to rate limit messages from a given source to a max of x kb/s ? As an "out there" suggestion, you might increase the % for root only to be greater than 10% on a /var/log so you can always run newsyslog successfully. Darren From owner-freebsd-security@FreeBSD.ORG Sat Jun 5 01:23:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4592516A4CE; Sat, 5 Jun 2004 01:23:08 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9850043D2D; Sat, 5 Jun 2004 01:23:07 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.9/8.12.9) with ESMTP id i558LUSf003298; Sat, 5 Jun 2004 18:21:30 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.9/8.12.8/Submit) id i558LUtm003296; Sat, 5 Jun 2004 18:21:30 +1000 (EST) From: Darren Reed Message-Id: <200406050821.i558LUtm003296@caligula.anu.edu.au> To: cjc@freebsd.org Date: Sat, 5 Jun 2004 18:21:29 +1000 (Australia/ACT) In-Reply-To: <20040604195338.GA50275@blossom.cjclark.org> from "Crist J. Clark" at Jun 04, 2004 12:53:38 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: syslogd(8) Dropping Privs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jun 2004 08:23:08 -0000 ...and this works in the case of SIGHUP too ? i.e. re-read syslogd.conf and can open new files r/w root only ? Darren