From owner-freebsd-questions Tue Jan 7 10:35:28 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4953737B405 for ; Tue, 7 Jan 2003 10:35:26 -0800 (PST) Received: from mail12.atl.registeredsite.com (mail12.atl.registeredsite.com [64.224.219.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4202643EDC for ; Tue, 7 Jan 2003 10:35:24 -0800 (PST) (envelope-from admin@asarian-host.net) Received: from asarian-host.net (asarian-host.net [216.122.74.112]) by mail12.atl.registeredsite.com (8.12.2/8.12.6) with ESMTP id h07IZNeW017321 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Tue, 7 Jan 2003 13:35:23 -0500 Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email addresses for asarians can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by asarian-host.net (8.11.6/8.11.0) id h07IZNA40750 for freebsd-questions@freebsd.org; Tue, 7 Jan 2003 19:35:23 +0100 (CET) (envelope-from admin@asarian-host.net) Posted-Date: Tue, 7 Jan 2003 19:35:23 +0100 (CET) From: Mark Message-Id: <200301071835.H07IZMJ40741@asarian-host.net> Date: Tue, 7 Jan 2003 19:35:19 +0100 X-Authenticated-Sender: admin@asarian-host.net Subject: Re: security vulnerability in dump X-Trace: l5innooPsGl6iZYd/H73vNa7FZgtH6yGGxdfeYxhoUvYh+vphoH4+9jj9MRDc7zY X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers X-Abuse-Info: Otherwise we are unable to process your complaint Organization: Asarian-host To: References: <200301071548.H07FM0J93369@asarian-host.net> <20030107180013.D14422@slave.east.ath.cx> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Auth: Asarian-host PGP signature iQEVAwUAPhsd6zFqW1BleBN9AQE+GQgAmJOc5Eia5gFcfogWAyXqqqkFKfu5pZSW mgwGJ0q8u/POHvpAKC5VFVJS8+p5hJTY9Y9UGrjQTsOsVjtqup5D5cR6lpWVkkPo oItQbYzCDPoJAv6y3VRUYPJreDScSMI0gcRaIVkH8LTAZXykLJInW4kaq7pNDMsl mrPVq8LyFZUHT+dNfVeMY2/Zl9Wagf29p07vqeZI6Hb4+v56s2L1NNF4LBvR3MTK dXZdnJsJtBrCxQVMBAeTxxYFxbw3bUZ31J7ouwOmUiFaKzvO+c+z86ByEWydR1lB 4JQi9qpBvl+jtpOqA7kUTfrOdV+JtRjEXzEgpjwWpspqn3EcNbgkfQ== =Vv1l Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Andrew Prewett" To: Sent: Tuesday, January 07, 2003 6:06 PM Subject: Re: security vulnerability in dump > Today Mark wrote: > > > I believe I have found a security vulnerability in dump, which, under > > the right conditions, allows any user with shell-access to gain > > root-privileges. > > > > When dumping to a file, dump writes this file chmod 644. When the > > root-partition is being backed-up, this leaves the dump-file vulnerable > > to scanning by unprivileged users for the duration of the dump. > > > > I tested this, and, as a non-privileged user, was able to extract the > > root-password from the dump-file using a simple regex: > > "(/root:(.*?):0:0::0:0:Superuser:/)". This, of course, based on the fact > > that /etc/master.passwd also becomes part of the dump-file. > > > > As to how high to rank this exploitability, I am not sure. Certain > > conditions need to be met. The dump must be made to file, and the > > unprivileged user must, naturally, know the name of the dump-file; and > > the dump, of course, must be made in multi-user mode. > > > > Still, I would feel a lot better if the FreeBSD development team made a > > small adjustment to dump, writing its dump-file chmod 600, which would > > immediately solve any and all exploitability. > > > > If people deem it serious enough, I will file a report. > > > > Thanks for listening. > > Normally the master.passwd is backed up regularly by cron > (/var/backups), so maybe no need to backup it again. > > hint: chflags nodump /etc/master.passwd > > -andrew Thanks for your reply, Andrew. Next to /etc/master.passwd, my greater point would be that the "run-length" storage of dump, since the file is chmod 644, effectively renders all files it backups world-readable as it passes them along for processing. At least for the duration dump is running (assuming a backup-script would change permissions directly thereafter). There may be a lot more files one wishes not to be world-readable. :) And excluding them all from the dump may not be the answer. Especially since it would be very little trouble to adjust dump's code in such a way that it writes chmod 600 to begin with. - Mark System Administrator Asarian-host.org --- "If you were supposed to understand it, we wouldn't call it code." - FedEx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message