From owner-freebsd-security@FreeBSD.ORG Wed Dec 6 12:40:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C611516A5B4; Wed, 6 Dec 2006 12:40:26 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.200.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6784C44106; Wed, 6 Dec 2006 12:25:53 +0000 (GMT) (envelope-from josh@tcbug.org) Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219]) by comcast.net (sccrmhc13) with ESMTP id <2006120612263201300lq3dme>; Wed, 6 Dec 2006 12:26:32 +0000 From: Josh Paetzel To: freebsd-security@freebsd.org Date: Wed, 6 Dec 2006 06:26:31 -0600 User-Agent: KMail/1.9.4 References: <200612060933.kB69XErN083086@freefall.freebsd.org> <45769654.5050307@freebsd.org> In-Reply-To: <45769654.5050307@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200612060626.31834.josh@tcbug.org> Cc: Colin Percival Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 12:40:26 -0000 On Wednesday 06 December 2006 04:07, Colin Percival wrote: > FreeBSD Security Advisories wrote: > > FreeBSD-SA-06:25.kmem > > Security Advisory The FreeBSD Project ... > > III. Impact > > > > A user in the "operator" group can read the contents of kernel > > memory. Such memory might contain sensitive information, such as > > portions of the file cache or terminal buffers. This information > > might be directly useful, or it might be leveraged to obtain > > elevated privileges in some way; for example, a terminal buffer > > might include a user-entered password. > > For what it's worth, there was a lot of debate about whether this > deserved an advisory: Members of the operator group are allowed (by > default, at least) to read raw disk devices, so being able to read > kernel memory really isn't very much of a privilege escalation. In > the end I decided to go ahead with this advisory largely because we > were already planning on issuing an advisory this week (for a far > more serious issue in GNU tar), but if a similar issue arises next > month, we might decide not to bother with an advisory. > > I'd be interested to hear opinions from the FreeBSD community about > whether this sort of issue is one which anyone really cares about. > > Colin Percival > FreeBSD Security Officer Sure, and if you can read raw disk devices you can read /etc/master.passwd and /etc/group....and if you can do that then it's trivial to break the passwords you need to su to someone in wheel and then su to root. I guess my point is someone in the operator group has a far easier way to gain root than this vuln. It's great to fix bugs, but I bet this one won't prompt many people to apply the patches and/or rebuild world to fix. Damned if you do, damned if you don't. If you don't issue an SA then people mumble about how FBSD ignores security issues. If you do issue the SA then people mumble about how pointless this one was. My opinion is I'd rather know about it and make the decision myself whether to apply the fixes than not know about it at all. -- Thanks, Josh Paetzel