Date: Fri, 8 Sep 2000 00:13:21 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: "Todd C. Miller" <Todd.Miller@courtesan.com>, Warner Losh <imp@village.org>, Kris Kennaway <kris@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.GSO.4.10.10009072356220.845-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <20000908014646.A19231@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 8 Sep 2000, Andrey A. Chernov wrote:
> On Thu, Sep 07, 2000 at 03:40:03PM -0600, Todd C. Miller wrote:
> > In message <20000908013556.A19114@nagual.pp.ru>
> > so spake "Andrey A. Chernov" (ache):
> >
> > > 'sudo' port *must* strip NLSPATH and PATH_LOCALE variables. No other
> > > actions required.
> >
> > That seems pretty reasonable. I'll strip those out of the environment
> > in sudo 1.6.4.
>
> Speaking outside of locale/nls area, 'sudo' *must* internally
> setenv TERMCAP /usr/share/misc/termcap
> too, for the same reasons. Grep 'issetugid' through libraries is your
> friend.
Yeah, that was a really interesting search:
vlada@dual:/ftp/pub/FreeBSD/branches/-current/src/lib$find . -name \*.c
| xargs grep issetugid
./libc/db/btree/bt_open.c: if (issetugid() == 0)
./libc/gen/glob.c: issetugid() != 0 ||
./libc/locale/setlocale.c: && !issetugid()
./libc/locale/setrunelocale.c: && !issetugid()
./libc/net/res_init.c: if (issetugid() == 0 && (cp = getenv("LOCALDOMAIN")) != NULL) {
./libc/net/res_init.c: if (issetugid())
./libc/net/res_query.c: if (issetugid())
./libc/nls/msgcat.c: || issetugid()
./libc/stdio/tempnam.c: if (issetugid() == 0 && (f = getenv("TMPDIR"))) {
./libc/stdtime/localtime.c: if (name != NULL && issetugid() != 0)
./libedit/el.c: if (issetugid() == 0 && (tty = getenv("DEBUGTTY")) != NULL) {
./libedit/el.c: if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
./libncurses/termcap.c: if (issetugid())
What I see immediately:
locales, and message catalogs, we already know about them.
file globbing ... HOME is ignored, home from the passwd entry is used
the resolver - env vars LOCALDOMAIN, RES_OPTIONS, HOSTALIASES
tempnam.c : ? even the TMPDIR ?
DEBUGTTY ?
termcap
the btree code is also concerned about the TMPDIR - when setugid,
ignore it, and use /tmp
Yeah, it looks like that sudo & friends should be discarding all
environment discarded anywhere after a issetugid. Looks like this is all
- for the base system.
Maybe, there should be a system-wide list of env vars not to be passed
to programs running with elevated privileges....
The problem is rather generic, the cause is that a setugid program
executes another program at the elevated privilege level, but does not
transfer the "issetugid" flag.
IMHO.
Vladimir Mencl
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10009072356220.845-100000>