Date: Tue, 12 Feb 2002 08:47:59 +0000 From: Ceri <setantae@submonkey.net> To: Beth Reid <breid@cyberguard.com> Cc: freebsd-security@FreeBSD.org Subject: Re: Questions regarding the wheel group Message-ID: <20020212084759.D21643@cartman.private.techsupport.co.uk> In-Reply-To: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net>; from breid@cyberguard.com on Fri, Feb 08, 2002 at 11:57:38AM -0500 References: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 08, 2002 at 11:57:38AM -0500, Beth Reid said:
> This message is in MIME format. Since your mail reader does not understand
> this format, some or all of this message may not be legible.
There's no need for that either ;)
> I am doing research on the wheel group and security and I had a couple of
> questions.
>
> Some thoughts: Why should the wheel group be used on any files? I would
> think from a security point of view, wheel should not be the default or
> primary group for root. This way if you are in the wheel group and have
> root's password, you can become root. If you are in the wheel group, but do
> not have root's password you should not gain any special privileges to any
> files or directories. You should be like any other user.
My opinion : if someone is in wheel then they're already a somewhat trusted
user and the ability to tail logs and see what is happening on the system
without having to su is a good thing for those users.
> My initial step was to check the permissions on all of the files to see if
> files with a group of "wheel" had permission bits where the group and other
> bits differed.
Did you also check what each of those files was for ?
> 1) The only 2 devices on my system where wheel had more permission than
> other were the following. I am not sure yet if there is a vulnerability
> here.
> crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09
> ./dev/rsa0.ctl
> crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl
I can't see one :
/dev/sa0.ctl Control mode device (to examine state while another
program is accessing the device, e.g.).
But then I trust my users in wheel.
> 2) In the /proc directory there is a mem file for each process. This seems
> to me like a vulnerability. The odd thing is that on one similar FreeBSD
> 4.3 release system the group was kmem for all files in this directory, all
> other systems had the group for root as wheel. So two questions here: 1)
> why does the group differ on the two systems, and 2) why does the wheel
> group have read privilege on these mem files?
>
> -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem
> -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem
They're processes running as root, therefore they have root's uid and gid.
Processes running as a non-root user have different permissions, e.g. on my
system :
-rw-r----- 1 alf alf 0 Feb 12 08:43 /proc/26905/mem
> 3) This seems harmless.
> -r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable
Agreed.
> 4) This seems like it could be a vulnerability. If someone is in wheel
> that shouldn't be, he could read these files and perhaps gather some useful
> information.
> in /var/log
> -rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today
> -rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday
> -rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today
> -rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday
> -rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today
Debatable - I like my wheel users to be able to read these.
> 5) These directories allow wheel to poke around in them, but not someone in
> the other group. It seems like I wouldn't want the crash files exposed.
> The cron directory is odd because although wheel can poke around in cron, he
> can't get to the tabs subfolder. The backup folder seems harmless(?).
> Someone in wheel can remove files from /tmp.
>
> in/var
> drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp
> drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups
> drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron
> drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash
vmcore files in /var/crash are created with a mode of 600.
The kernel files in there are just copies of a kernel.
Someone in wheel can only remove files from /var/tmp if they own them.
My basic premise is that if someone shouldn't be in the wheel group unless
they can be trusted - the actual benefits other than the ability to be able
to su seems to me to be limited to the fact that a few more logfiles are
readable.
Someone else on this list will probably have different views though.
Ceri
--
"Ummm, excuse me. I think the network's down...?"
"A communications disruption can only mean one thing... Invasion."
--Lee Maguire, SDM
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020212084759.D21643>