Date: Sat, 8 Sep 2001 17:43:04 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: Matt Dillon <dillon@earth.backplane.com>, Jordan Hubbard <jkh@FreeBSD.ORG>, security@FreeBSD.ORG, audit@FreeBSD.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908174304.A88816@xor.obsecurity.org> In-Reply-To: <20010908170257.A82082@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 05:02:57PM -0700 References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote:
> Looks like setting the schg flag is the only feasible containment
> solution for now.
Here's a proposed fix. It just disallows anyone other than root from
specifying an alternate configuration file, for the setuid utilities
(which was the cause of the vulnerability here, AFAIK).
Kris
Index: uucico/uucico.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uucico/uucico.c,v
retrieving revision 1.9
diff -u -b -r1.9 uucico.c
--- uucico/uucico.c 1999/08/27 23:33:51 1.9
+++ uucico/uucico.c 2001/09/09 00:32:03
@@ -376,6 +376,11 @@
case 'I':
/* Set configuration file name (default is in sysdep.h). */
+ if (getuid() != 0)
+ {
+ fprintf (stderr, "%s: config file can only be specified by root\n", zProgram);
+ exit (EXIT_FAILURE);
+ }
if (fsysdep_other_config (optarg))
zconfig = optarg;
break;
Index: uucp/uucp.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uucp/uucp.c,v
retrieving revision 1.7
diff -u -b -r1.7 uucp.c
--- uucp/uucp.c 1999/08/27 23:33:56 1.7
+++ uucp/uucp.c 2001/09/09 00:32:01
@@ -198,6 +198,11 @@
case 'I':
/* Name configuration file. */
+ if (getuid() != 0)
+ {
+ fprintf (stderr, "%s: config file can only be specified by root\n", zProgram);
+ exit (EXIT_FAILURE);
+ }
if (fsysdep_other_config (optarg))
zconfig = optarg;
break;
Index: uuname/uuname.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uuname/uuname.c,v
retrieving revision 1.6
diff -u -b -r1.6 uuname.c
--- uuname/uuname.c 1999/08/27 23:33:59 1.6
+++ uuname/uuname.c 2001/09/09 00:27:52
@@ -86,6 +86,11 @@
case 'I':
/* Configuration file name. */
+ if (getuid() != 0)
+ {
+ fprintf (stderr, "%s: config file can only be specified by root\n", zProgram);
+ exit (EXIT_FAILURE);
+ }
if (fsysdep_other_config (optarg))
zconfig = optarg;
break;
Index: uustat/uustat.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uustat/uustat.c,v
retrieving revision 1.7
diff -u -b -r1.7 uustat.c
--- uustat/uustat.c 1999/08/27 23:34:03 1.7
+++ uustat/uustat.c 2001/09/09 00:34:26
@@ -279,6 +279,11 @@
case 'I':
/* Set configuration file name. */
+ if (getuid() != 0)
+ {
+ fprintf (stderr, "%s: config file can only be specified by root\n", zProgram);
+ exit (EXIT_FAILURE);
+ }
if (fsysdep_other_config (optarg))
zconfig = optarg;
break;
Index: uux/uux.c
===================================================================
RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uux/uux.c,v
retrieving revision 1.11
diff -u -b -r1.11 uux.c
--- uux/uux.c 1999/08/27 23:34:06 1.11
+++ uux/uux.c 2001/09/09 00:25:35
@@ -235,6 +235,11 @@
case 'I':
/* Configuration file name. */
+ if (getuid() != 0)
+ {
+ fprintf (stderr, "%s: config file can only be specified by root\n", zProgram);
+ exit (EXIT_FAILURE);
+ }
if (fsysdep_other_config (optarg))
zconfig = optarg;
break;
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908174304.A88816>