From owner-freebsd-security@FreeBSD.ORG  Tue Aug 10 15:36:14 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5B39E106566B
	for <freebsd-security@freebsd.org>;
	Tue, 10 Aug 2010 15:36:14 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 1E36A8FC1F
	for <freebsd-security@freebsd.org>;
	Tue, 10 Aug 2010 15:36:13 +0000 (UTC)
Received: from ds4.des.no (des.no [84.49.246.2])
	by smtp.des.no (Postfix) with ESMTP id 283031FFC33;
	Tue, 10 Aug 2010 15:36:13 +0000 (UTC)
Received: by ds4.des.no (Postfix, from userid 1001)
	id E800184525; Tue, 10 Aug 2010 17:36:12 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Przemyslaw Frasunek <przemyslaw@frasunek.com>
References: <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com>
	<4C611FA9.6070409@frasunek.com>
Date: Tue, 10 Aug 2010 17:36:12 +0200
In-Reply-To: <4C611FA9.6070409@frasunek.com> (Przemyslaw Frasunek's message of
	"Tue, 10 Aug 2010 11:45:13 +0200")
Message-ID: <86fwym32fn.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org
Subject: Re: ~/.login_conf mechanism is flawed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 15:36:14 -0000

Przemyslaw Frasunek <przemyslaw@frasunek.com> writes:
>  41513 ftpd     CALL  seteuid(0xbb8)
>  41513 ftpd     RET   seteuid 0
>  41513 ftpd     NAMI  "/home/venglin/.login_conf"
>  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
>  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"

login_getclassbyname() temporarily drops privs while reading the user's
.login_conf, because the user's ~ may be on (for instance) an NFS mount
with -maproot=3Dnobody.

Janne's mistake is to assume that reading =3D=3D processing.

However, he is correct in that in the event of an exploitable code
injection vulnerability in the code that *reads* the file, the injected
code can easily reacquire root privs.

There is a different issue documented in PR bin/141840 which results in
the user's resource limits being processed *with* root privs in certain
circumstances.  It so happens that in FreeBSD, those circumstances only
arise in OpenSSH.  This does not mean that the bug is in OpenSSH; it's
in setusercontext(3), which makes unwarranted assumptions about how it
is being called.

Unfortunately, that PR arrived at a time when so@ was busy with far more
important issues, and it fell through the cracks.

The good news is that the the only settings that can be overridden in
this manner are resource limits and the CPU mask.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no