From owner-freebsd-security Sun May 11 02:49:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA20589 for security-outgoing; Sun, 11 May 1997 02:49:09 -0700 (PDT) Received: from ht.eimb.rssi.ru (ht.eimb.rssi.ru [193.232.192.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA20584 for ; Sun, 11 May 1997 02:49:05 -0700 (PDT) Received: from localhost (qwe@localhost) by ht.eimb.rssi.ru (8.8.5/1997.05.04) with SMTP id NAA00472 for ; Sun, 11 May 1997 13:50:57 +0400 (MSD) Date: Sun, 11 May 1997 13:50:57 +0400 (MSD) From: Gnuchev Fedor Reply-To: Gnuchev Fedor To: freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' In-Reply-To: <01BC5D8D.679DD4A0@frank56.pcisys.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Good morning, the text below is applicapable to FreeBSD as well. It's good enough to ftp and pick /etc/master.passwd, had not checked ssh. >On Sat, 10 May 1997, David Phillips wrote: > I mailed this to a friend as a sanity check: > > While trying to make a user entry in the /etc/passwd file unrecognized > so I could demonstrate the use of valid UIDs, I placed a # in front of the UID. > My theory was that this would make it an invalid number and cause Linux > to give an authentication failure. (This worked as expect on SunOS 4.1.4) > But then we tried to su to that user and were rewarded by being dumped > to UID 0. It didn't recognize the UID so it defaulted to 0. Cool huh? > > It seems ideal for a hard to find, back door but given that you must be root > to write to the passwd file, I have not found a better way to really exploit it. > My friend replied: > > I did test the problem using various remote logins, such as rlogin, > rsh, ftp, telnet, exec, ssh and console login. Trying to rlogin, rsh, > rexec or telnet failed with an authentication failure. But, su, ftp, ssh > and console login all succeeded and gave UID 0. A small stumbling block, > but still useful for a backdoor. I'll keep checking it tho'. > > He also noted that it works the same for GID. We have not taken the time > to research the problem fully but have tested it on Red Hat 4.1 (2.0.27/2.0.30). > > > David Phillips, TASC > phillips@pcisys.net > With best regards Fedor Gnuchev mailto:qwe@ht.eimb.rssi.ru From owner-freebsd-security Sun May 11 02:57:23 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA20797 for security-outgoing; Sun, 11 May 1997 02:57:23 -0700 (PDT) Received: from ht.eimb.rssi.ru (ht.eimb.rssi.ru [193.232.192.7]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA20790 for ; Sun, 11 May 1997 02:57:16 -0700 (PDT) Received: from localhost (qwe@localhost) by ht.eimb.rssi.ru (8.8.5/1997.05.04) with SMTP id NAA00513 for ; Sun, 11 May 1997 13:59:09 +0400 (MSD) Date: Sun, 11 May 1997 13:59:09 +0400 (MSD) From: Gnuchev Fedor To: freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' (upd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Sorry for being hasty poster :-) It works only till next time passwd is run - then it becomes easy to detect 0. With best regards Fedor Gnuchev mailto:qwe@ht.eimb.rssi.ru From owner-freebsd-security Sun May 11 08:29:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA01418 for security-outgoing; Sun, 11 May 1997 08:29:16 -0700 (PDT) Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA01411 for ; Sun, 11 May 1997 08:29:09 -0700 (PDT) Received: from campa.panke.de (anonymous215.ppp.cs.tu-berlin.de [130.149.17.215]) by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id RAA00467; Sun, 11 May 1997 17:29:05 +0200 (MET DST) Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id RAA24014; Sun, 11 May 1997 17:21:41 +0200 (MET DST) To: Gnuchev Fedor Cc: freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' References: From: Wolfram Schneider Date: 11 May 1997 17:21:39 +0200 In-Reply-To: Gnuchev Fedor's message of Sun, 11 May 1997 13:50:57 +0400 (MSD) Message-ID: Lines: 15 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Gnuchev Fedor writes: > > While trying to make a user entry in the /etc/passwd file unrecognized > > so I could demonstrate the use of valid UIDs, I placed a # in front of the UID. > > My theory was that this would make it an invalid number and cause Linux > > to give an authentication failure. (This worked as expect on SunOS 4.1.4) > > But then we tried to su to that user and were rewarded by being dumped > > to UID 0. It didn't recognize the UID so it defaulted to 0. Cool huh? Never put an non-numeric character in UID field! BTW, in FreeBSD-current lines with a leading `#' are comments, and are ignored. See group(5), passwd(5). -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-security Sun May 11 09:20:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA02971 for security-outgoing; Sun, 11 May 1997 09:20:29 -0700 (PDT) Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA02966 for ; Sun, 11 May 1997 09:20:27 -0700 (PDT) Received: from campa.panke.de (anonymous214.ppp.cs.tu-berlin.de [130.149.17.214]) by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id SAA03246; Sun, 11 May 1997 18:20:16 +0200 (MET DST) Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id SAA25008; Sun, 11 May 1997 18:20:09 +0200 (MET DST) To: Wolfram Schneider Cc: Gnuchev Fedor , freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' References: From: Wolfram Schneider Date: 11 May 1997 18:20:06 +0200 In-Reply-To: Wolfram Schneider's message of 11 May 1997 17:21:39 +0200 Message-ID: Lines: 53 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Wolfram Schneider writes: > Gnuchev Fedor writes: > > > While trying to make a user entry in the /etc/passwd file unrecognized > > > so I could demonstrate the use of valid UIDs, I placed a # in front of the UID. > > > My theory was that this would make it an invalid number and cause Linux > > > to give an authentication failure. (This worked as expect on SunOS 4.1.4) > > > But then we tried to su to that user and were rewarded by being dumped > > > to UID 0. It didn't recognize the UID so it defaulted to 0. Cool huh? > > Never put an non-numeric character in UID field! Ok, here is a patch for pwd_mkdb: Index: pw_scan.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/pwd_mkdb/pw_scan.c,v retrieving revision 1.5 diff -u -r1.5 pw_scan.c --- pw_scan.c 1996/06/20 19:19:29 1.5 +++ pw_scan.c 1997/05/11 16:00:33 @@ -42,6 +42,7 @@ #include +#include #include #include #include @@ -77,6 +78,10 @@ goto fmt; if(p[0]) pw->pw_fields |= _PWF_UID; id = atol(p); + for(; *p != '\0'; p++) + if (!isdigit(*p)) + goto fmt; + if (root && id) { warnx("root uid should be 0"); return (0); @@ -91,6 +96,10 @@ goto fmt; if(p[0]) pw->pw_fields |= _PWF_GID; id = atol(p); + for(; *p != '\0'; p++) + if (!isdigit(*p)) + goto fmt; + if (id > USHRT_MAX) { warnx("%s > max gid value (%d)", p, USHRT_MAX); /* return (0); This should not be fatal! */ -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-security Mon May 12 07:32:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA13969 for security-outgoing; Mon, 12 May 1997 07:32:09 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA13964 for ; Mon, 12 May 1997 07:32:04 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id KAA18551; Mon, 12 May 1997 10:31:48 -0400 (EDT) Date: Mon, 12 May 1997 10:31:48 -0400 (EDT) From: Garrett Wollman Message-Id: <199705121431.KAA18551@khavrinen.lcs.mit.edu> To: Wolfram Schneider Cc: Gnuchev Fedor , freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' In-Reply-To: References: Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk < said: > id = atol(p); > + for(; *p != '\0'; p++) > + if (!isdigit(*p)) > + goto fmt; > + This is why you should never use atol(). Always, always, always use strtol(), and then you won't have these problems. Properly written to use strtol: errno = 0; ltmp = strtol(p, &ep, 10); if (*ep != '\0' || ltmp > MAX_UID_VALUE || ltmp < MIN_UID_VALUE || errno != 0) { do_error_action(); } id = ltmp; The errno check is not necessary if you can always guarantee that MAX_UID_VALUE is strictly less than LONG_MAX and similarly MIN_UID_VALUE is strictly greater than LONG_MIN. Careful programmers would leave it in anyway, since people who make such guarantees cannot be trusted :-) . > if (id > USHRT_MAX) { > warnx("%s > max gid value (%d)", p, USHRT_MAX); > /* return (0); This should not be fatal! */ This is really evil. The pw_mkdb program should not have built into it the identity of the type which is u/gid_t. Rather, the constants I mentioned above should be carefully defined somewhere (probably in under the non-POSIX section). -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Mon May 12 09:17:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA19170 for security-outgoing; Mon, 12 May 1997 09:17:21 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA19165 for ; Mon, 12 May 1997 09:17:18 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.5/8.6.9) id CAA16319; Tue, 13 May 1997 02:15:23 +1000 Date: Tue, 13 May 1997 02:15:23 +1000 From: Bruce Evans Message-Id: <199705121615.CAA16319@godzilla.zeta.org.au> To: wollman@khavrinen.lcs.mit.edu, wosch@apfel.de Subject: Re: Linux UID/GID 'Feature' Cc: freebsd-security@FreeBSD.ORG, qwe@ht.eimb.rssi.ru Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >> id = atol(p); >> + for(; *p != '\0'; p++) >> + if (!isdigit(*p)) >> + goto fmt; >> + > >This is why you should never use atol(). Always, always, always use >strtol(), and then you won't have these problems. Properly written to >use strtol: > errno = 0; > ltmp = strtol(p, &ep, 10); > if (*ep != '\0' || ltmp > MAX_UID_VALUE || ltmp < MIN_UID_VALUE > || errno != 0) { > do_error_action(); > } > id = ltmp; MAX_UID_VALUE is 0xffffffff, so it can only be read using strtol() on systems with more than 32 bits in an int. This is why you should rarely use strtol() :-). Always use strtoul() or strtouq() to read unsigned values. These functions are often more convenient even for reading possibly-signed values. Another problem: isdigit(*p) is usually undefined if *p < 0. >> if (id > USHRT_MAX) { >> warnx("%s > max gid value (%d)", p, USHRT_MAX); >> /* return (0); This should not be fatal! */ > >This is really evil. The pw_mkdb program should not have built into >it the identity of the type which is u/gid_t. Rather, the constants I >mentioned above should be carefully defined somewhere (probably in > under the non-POSIX section). Well, it needs to know something about the type, or depend on the constants being representable by the type returned by the strto* function used. This is difficult to program POSIX-portably, since uid_t might be long double. Bruce From owner-freebsd-security Tue May 13 14:46:38 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA17234 for security-outgoing; Tue, 13 May 1997 14:46:38 -0700 (PDT) Received: from wakko.efn.org (wakko.efn.org [198.68.17.6]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA17228 for ; Tue, 13 May 1997 14:46:35 -0700 (PDT) Received: from garcia.efn.org (j_mini@garcia.efn.org [198.68.17.5]) by wakko.efn.org (8.8.5/8.8.5) with ESMTP id OAA10612 for ; Tue, 13 May 1997 14:45:47 -0700 (PDT) Received: from localhost (j_mini@localhost) by garcia.efn.org (8.8.5/8.8.5) with SMTP id OAA09911 for ; Tue, 13 May 1997 14:53:44 -0700 (PDT) X-Authentication-Warning: garcia.efn.org: j_mini owned process doing -bs Date: Tue, 13 May 1997 14:53:43 -0700 (PDT) From: Jonathan Mini To: security@freebsd.org Subject: /usr/sbin/wall is suid root. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Personally, I think that being able to transmit an abatrary string of characters to every user's console on the system is a bit of a security hole. ANSI keyboard reassignments come to mind. Jonathan Mini (j_mini@efn.org) ... Desolation ... Despair ... Plastic Forks ... From owner-freebsd-security Tue May 13 15:35:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id PAA21492 for security-outgoing; Tue, 13 May 1997 15:35:31 -0700 (PDT) Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA21485 for ; Tue, 13 May 1997 15:35:27 -0700 (PDT) Received: from campa.panke.de (anonymous216.ppp.cs.tu-berlin.de [130.149.17.216]) by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id AAA12927; Wed, 14 May 1997 00:35:13 +0200 (MET DST) Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id XAA00653; Tue, 13 May 1997 23:16:19 +0200 (MET DST) Date: Tue, 13 May 1997 23:16:19 +0200 (MET DST) Message-Id: <199705132116.XAA00653@campa.panke.de> From: Wolfram Schneider To: Bruce Evans Cc: wollman@khavrinen.lcs.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' In-Reply-To: <199705121615.CAA16319@godzilla.zeta.org.au> References: <199705121615.CAA16319@godzilla.zeta.org.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Bruce Evans writes: >>> id = atol(p); >>> + for(; *p != '\0'; p++) >>> + if (!isdigit(*p)) >>> + goto fmt; >>> + >> >>This is why you should never use atol(). Always, always, always use >>strtol(), and then you won't have these problems. Properly written to >>use strtol: strtol do more things which we dont want: man strtol The string may begin with an arbitrary amount of white space (as deter- mined by isspace(3)) followed by a single optional `+' or `-' sign. If base is zero or 16, the string may then include a `0x' prefix, and the number will be read in base 16; otherwise, a zero base is taken as 10 (decimal) unless the next character is `0', in which case it is taken as 8 (octal). >Another problem: isdigit(*p) is usually undefined if *p < 0. What does usually means? There is no warning in the isdigit manpage. Wolfram From owner-freebsd-security Tue May 13 19:12:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA05981 for security-outgoing; Tue, 13 May 1997 19:12:05 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA05933 for ; Tue, 13 May 1997 19:11:59 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.5/8.6.9) id MAA23416; Wed, 14 May 1997 12:09:26 +1000 Date: Wed, 14 May 1997 12:09:26 +1000 From: Bruce Evans Message-Id: <199705140209.MAA23416@godzilla.zeta.org.au> To: bde@zeta.org.au, wosch@apfel.de Subject: Re: Linux UID/GID 'Feature' Cc: freebsd-security@FreeBSD.ORG, wollman@khavrinen.lcs.mit.edu Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Bruce Evans writes: >>>> id = atol(p); >>>> + for(; *p != '\0'; p++) >>>> + if (!isdigit(*p)) >>>> + goto fmt; >>>> + >>> >>>This is why you should never use atol(). Always, always, always use >>>strtol(), and then you won't have these problems. Properly written to >>>use strtol: > >strtol do more things which we dont want: > >man strtol > The string may begin with an arbitrary amount of white space (as deter- > mined by isspace(3)) followed by a single optional `+' or `-' sign. If > base is zero or 16, the string may then include a `0x' prefix, and the > number will be read in base 16; otherwise, a zero base is taken as 10 > (decimal) unless the next character is `0', in which case it is taken as > 8 (octal). atol(p) is equivalent to strtol(p, (char **)NULL, 10). This may also do things that we don't want (it skips leading whit space and interprets signs). >>Another problem: isdigit(*p) is usually undefined if *p < 0. > >What does usually means? There is no warning in the isdigit manpage. Except when *p == EOF. The man page is deficient. So is ctype(3). ANSI ctype functions are only valid for args that are representable as an unsigned char or equal to EOF. Bruce From owner-freebsd-security Wed May 14 02:51:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA05390 for security-outgoing; Wed, 14 May 1997 02:51:12 -0700 (PDT) Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA05383 for ; Wed, 14 May 1997 02:51:10 -0700 (PDT) Received: from campa.panke.de (anonymous215.ppp.cs.tu-berlin.de [130.149.17.215]) by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id LAA23332; Wed, 14 May 1997 11:51:03 +0200 (MET DST) Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id LAA00570; Wed, 14 May 1997 11:49:23 +0200 (MET DST) Date: Wed, 14 May 1997 11:49:23 +0200 (MET DST) Message-Id: <199705140949.LAA00570@campa.panke.de> From: Wolfram Schneider To: Bruce Evans Cc: wosch@apfel.de, freebsd-security@FreeBSD.ORG, wollman@khavrinen.lcs.mit.edu Subject: Re: Linux UID/GID 'Feature' In-Reply-To: <199705140209.MAA23416@godzilla.zeta.org.au> References: <199705140209.MAA23416@godzilla.zeta.org.au> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Bruce Evans writes: >>>Another problem: isdigit(*p) is usually undefined if *p < 0. >> >>What does usually means? There is no warning in the isdigit manpage. > >Except when *p == EOF. The man page is deficient. So is ctype(3). Fix the manpage or write a PR ;-) >ANSI ctype functions are only valid for args that are representable as an >unsigned char or equal to EOF. __isctype in /usr/include/ctype.h return 0 if the argument is less than 0 or greater or equal than 256. So I don't see a real problem for FreeBSD. -- Wolfram Schneider http://www.apfel.de/~wosch/ From owner-freebsd-security Wed May 14 03:09:23 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id DAA08147 for security-outgoing; Wed, 14 May 1997 03:09:23 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA08055 for ; Wed, 14 May 1997 03:08:15 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.5/8.6.9) id UAA06986; Wed, 14 May 1997 20:02:44 +1000 Date: Wed, 14 May 1997 20:02:44 +1000 From: Bruce Evans Message-Id: <199705141002.UAA06986@godzilla.zeta.org.au> To: bde@zeta.org.au, wosch@apfel.de Subject: Re: Linux UID/GID 'Feature' Cc: freebsd-security@freebsd.org, wollman@khavrinen.lcs.mit.edu Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >__isctype in /usr/include/ctype.h return 0 if the argument >is less than 0 or greater or equal than 256. So I don't see >a real problem for FreeBSD. Only depend on that if you want to write unportable software. The < 0 case is slower under FreeBSD. Bruce From owner-freebsd-security Wed May 14 11:37:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA26527 for security-outgoing; Wed, 14 May 1997 11:37:04 -0700 (PDT) Received: from obiwan.TerraNova.net (root@obiwan.TerraNova.net [205.152.26.129]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA26522 for ; Wed, 14 May 1997 11:37:00 -0700 (PDT) Received: from P1mpBSD (coolholio@P1mpBSD.TerraNova.net [205.152.26.130]) by obiwan.TerraNova.net (8.8.5/TerraNovaNet) with SMTP id OAA25665; Wed, 14 May 1997 14:00:42 -0400 (EDT) Message-ID: <3379FE38.4F0@TerraNova.net> Date: Wed, 14 May 1997 14:02:32 -0400 From: Travis Mikalson Reply-To: bofh@terranova.net Organization: TerraNovaNet X-Mailer: Mozilla 3.01 (WinNT; I) MIME-Version: 1.0 To: Jonathan Mini CC: security@FreeBSD.ORG Subject: Re: /usr/sbin/wall is suid root. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Jonathan Mini wrote: > > Personally, I think that being able to transmit an abatrary string of > characters to every user's console on the system is a bit of a security > hole. ANSI keyboard reassignments come to mind. On my system, running 2.2-STABLE, /usr/bin/wall is setgid tty.. -r-xr-sr-x 1 bin tty 12288 Apr 16 06:05 /usr/bin/wall What version are you running where wall is in /usr/sbin and is setuid root? Travis -- -=--==--===---====----======------=======------- TerraNovaNet Internet Services - Key Largo, FL Voice: (305)453-4011 Fax: (305)451-5991 http://www.TerraNova.net -------=======------======----====---===--==--=- Always remember that you are unique. Just like everyone else. From owner-freebsd-security Wed May 14 12:55:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA00875 for security-outgoing; Wed, 14 May 1997 12:55:47 -0700 (PDT) Received: (from jmb@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA00844; Wed, 14 May 1997 12:55:24 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199705141955.MAA00844@hub.freebsd.org> Subject: Re: Linux UID/GID 'Feature' To: wosch@apfel.de (Wolfram Schneider) Date: Wed, 14 May 1997 12:55:24 -0700 (PDT) Cc: bde@zeta.org.au, wollman@khavrinen.lcs.mit.edu, freebsd-security@FreeBSD.ORG In-Reply-To: <199705132116.XAA00653@campa.panke.de> from "Wolfram Schneider" at May 13, 97 11:16:19 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Wolfram Schneider wrote: > > >Another problem: isdigit(*p) is usually undefined if *p < 0. > > What does usually means? There is no warning in the isdigit manpage. isdigit() and all the other string macros should be used with ascii charcters only. so (isascii(*p) && isdigit(*p)) is the correct way to use isdigit() this may have changed with the introduction of runes. jmb From owner-freebsd-security Wed May 14 13:03:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA01242 for security-outgoing; Wed, 14 May 1997 13:03:40 -0700 (PDT) Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA01236 for ; Wed, 14 May 1997 13:03:36 -0700 (PDT) Received: (from jmg@localhost) by hydrogen.nike.efn.org (8.8.5/8.8.5) id NAA18918; Wed, 14 May 1997 13:04:08 -0700 (PDT) Message-ID: <19970514130407.00511@hydrogen.nike.efn.org> Date: Wed, 14 May 1997 13:04:07 -0700 From: John-Mark Gurney To: bofh@terranova.net Cc: Jonathan Mini , security@FreeBSD.ORG Subject: Re: /usr/sbin/wall is suid root. References: <3379FE38.4F0@TerraNova.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.69 In-Reply-To: <3379FE38.4F0@TerraNova.net>; from Travis Mikalson on Wed, May 14, 1997 at 02:02:32PM -0400 Reply-To: John-Mark Gurney Organization: Cu Networking X-Operating-System: FreeBSD 2.2.1-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Travis Mikalson scribbled this message on May 14: > Jonathan Mini wrote: > > > > Personally, I think that being able to transmit an abatrary string of > > characters to every user's console on the system is a bit of a security > > hole. ANSI keyboard reassignments come to mind. > > On my system, running 2.2-STABLE, /usr/bin/wall is setgid tty.. > -r-xr-sr-x 1 bin tty 12288 Apr 16 06:05 /usr/bin/wall > > What version are you running where wall is in /usr/sbin and is setuid > root? well.. I think Mini didn't check close enough... but stil... having it sgid tty can have adverse side effects... like allowing people to write to everyone... (REALLY anoying when you have around 8-15 logins.. :) ) I think we shouldn't install it sgid... is ther any good reason to have it sgid?? -- John-Mark Cu Networking Modem/FAX: +1 541 683 6954 Live in Peace, destroy Micro$oft, support free software, run FreeBSD From owner-freebsd-security Wed May 14 13:34:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA02869 for security-outgoing; Wed, 14 May 1997 13:34:44 -0700 (PDT) Received: from vespucci.iquest.com (root@vespucci.iquest.com [199.170.120.42]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA02863 for ; Wed, 14 May 1997 13:34:41 -0700 (PDT) Received: from localhost (b@localhost) by vespucci.iquest.com (8.8.5/8.8.5) with SMTP id PAA19827; Wed, 14 May 1997 15:34:17 -0500 (CDT) Date: Wed, 14 May 1997 15:34:17 -0500 (CDT) From: b To: John-Mark Gurney cc: security@FreeBSD.ORG Subject: Re: /usr/sbin/wall is suid root. In-Reply-To: <19970514130407.00511@hydrogen.nike.efn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 14 May 1997, John-Mark Gurney wrote: > well.. I think Mini didn't check close enough... but stil... having it > sgid tty can have adverse side effects... like allowing people to write > to everyone... (REALLY anoying when you have around 8-15 logins.. :) ) Isn't that the expected behavior of wall? If you don't want users broadcasting messages, then remove the execute bit. b From owner-freebsd-security Wed May 14 16:04:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA11789 for security-outgoing; Wed, 14 May 1997 16:04:49 -0700 (PDT) Received: from wakko.efn.org (wakko.efn.org [198.68.17.6]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA11784 for ; Wed, 14 May 1997 16:04:45 -0700 (PDT) Received: from garcia.efn.org (j_mini@garcia.efn.org [198.68.17.5]) by wakko.efn.org (8.8.5/8.8.5) with ESMTP id QAA18762; Wed, 14 May 1997 16:03:55 -0700 (PDT) Received: from localhost (j_mini@localhost) by garcia.efn.org (8.8.5/8.8.5) with SMTP id QAA09770; Wed, 14 May 1997 16:11:53 -0700 (PDT) X-Authentication-Warning: garcia.efn.org: j_mini owned process doing -bs Date: Wed, 14 May 1997 16:11:52 -0700 (PDT) From: Jonathan Mini To: John-Mark Gurney cc: bofh@terranova.net, security@FreeBSD.ORG Subject: Re: /usr/sbin/wall is suid root. In-Reply-To: <19970514130407.00511@hydrogen.nike.efn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 14 May 1997, John-Mark Gurney wrote: He is right, I didn't check. However, this was 2.2.1-R. > Travis Mikalson scribbled this message on May 14: > > Jonathan Mini wrote: > > > > > > Personally, I think that being able to transmit an abatrary string of > > > characters to every user's console on the system is a bit of a security > > > hole. ANSI keyboard reassignments come to mind. > > > > On my system, running 2.2-STABLE, /usr/bin/wall is setgid tty.. > > -r-xr-sr-x 1 bin tty 12288 Apr 16 06:05 /usr/bin/wall > > > > What version are you running where wall is in /usr/sbin and is setuid > > root? > > well.. I think Mini didn't check close enough... but stil... having it > sgid tty can have adverse side effects... like allowing people to write > to everyone... (REALLY anoying when you have around 8-15 logins.. :) ) > > I think we shouldn't install it sgid... is ther any good reason to > have it sgid?? > > -- > John-Mark > Cu Networking Modem/FAX: +1 541 683 6954 > > Live in Peace, destroy Micro$oft, support free software, run FreeBSD > Jonathan Mini (j_mini@efn.org) ... Desolation ... Despair ... Plastic Forks ... From owner-freebsd-security Wed May 14 16:16:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA12299 for security-outgoing; Wed, 14 May 1997 16:16:45 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA12284 for ; Wed, 14 May 1997 16:16:37 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id JAA14181; Thu, 15 May 1997 09:21:22 +1000 (EST) Date: Thu, 15 May 1997 09:21:22 +1000 (EST) From: "Daniel O'Callaghan" To: Travis Mikalson cc: Jonathan Mini , security@FreeBSD.ORG Subject: Re: /usr/sbin/wall is suid root. In-Reply-To: <3379FE38.4F0@TerraNova.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 14 May 1997, Travis Mikalson wrote: > Jonathan Mini wrote: > > > > Personally, I think that being able to transmit an abatrary string of > > characters to every user's console on the system is a bit of a security > > hole. ANSI keyboard reassignments come to mind. > > On my system, running 2.2-STABLE, /usr/bin/wall is setgid tty.. > -r-xr-sr-x 1 bin tty 12288 Apr 16 06:05 /usr/bin/wall > > What version are you running where wall is in /usr/sbin and is setuid > root? Additionally, if you care to read the wall sources, you will find that wall won't print non-printable characters, and so can't send escape sequences. Danny From owner-freebsd-security Wed May 14 19:23:50 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id TAA22727 for security-outgoing; Wed, 14 May 1997 19:23:50 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA22721; Wed, 14 May 1997 19:23:46 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.5/8.6.9) id MAA09069; Thu, 15 May 1997 12:11:59 +1000 Date: Thu, 15 May 1997 12:11:59 +1000 From: Bruce Evans Message-Id: <199705150211.MAA09069@godzilla.zeta.org.au> To: jmb@FreeBSD.ORG, wosch@apfel.de Subject: Re: Linux UID/GID 'Feature' Cc: bde@zeta.org.au, freebsd-security@FreeBSD.ORG, wollman@khavrinen.lcs.mit.edu Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > isdigit() and all the other string macros > should be used with ascii charcters only. > so (isascii(*p) && isdigit(*p)) > is the correct way to use isdigit() > > this may have changed with the introduction of runes. Nope. The ctype macros are specified without reference to ASCII characters in ANSI C. There is no isascii() function in ANSI C. ASCII characters may be supported as a special locale. Bruce