From owner-freebsd-security@FreeBSD.ORG Wed Dec 6 13:43:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7A2FA16A417; Wed, 6 Dec 2006 13:43:29 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFDB443CC2; Wed, 6 Dec 2006 13:42:36 +0000 (GMT) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.13.8/8.13.8) with ESMTP id kB6Dh3DD066254; Wed, 6 Dec 2006 14:43:03 +0100 (CET) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.13.8/8.13.8/Submit) id kB6Dh32d066253; Wed, 6 Dec 2006 14:43:03 +0100 (CET) (envelope-from mail25@bzerk.org) Date: Wed, 6 Dec 2006 14:43:03 +0100 From: Ruben de Groot To: Josh Paetzel Message-ID: <20061206134303.GA63129@ei.bzerk.org> References: <200612060933.kB69XErN083086@freefall.freebsd.org> <45769654.5050307@freebsd.org> <200612060626.31834.josh@tcbug.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200612060626.31834.josh@tcbug.org> User-Agent: Mutt/1.4.2.2i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (ei.bzerk.org [127.0.0.1]); Wed, 06 Dec 2006 14:43:04 +0100 (CET) X-Mailman-Approved-At: Wed, 06 Dec 2006 13:45:34 +0000 Cc: freebsd-security@freebsd.org, Colin Percival Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 13:43:29 -0000 On Wed, Dec 06, 2006 at 06:26:31AM -0600, Josh Paetzel typed: > On Wednesday 06 December 2006 04:07, Colin Percival wrote: > > FreeBSD Security Advisories wrote: > > > FreeBSD-SA-06:25.kmem > > > Security Advisory The FreeBSD Project ... > > > III. Impact > > > > > > A user in the "operator" group can read the contents of kernel > > > memory. Such memory might contain sensitive information, such as > > > portions of the file cache or terminal buffers. This information > > > might be directly useful, or it might be leveraged to obtain > > > elevated privileges in some way; for example, a terminal buffer > > > might include a user-entered password. > > > > For what it's worth, there was a lot of debate about whether this > > deserved an advisory: Members of the operator group are allowed (by > > default, at least) to read raw disk devices, so being able to read > > kernel memory really isn't very much of a privilege escalation. In > > the end I decided to go ahead with this advisory largely because we > > were already planning on issuing an advisory this week (for a far > > more serious issue in GNU tar), but if a similar issue arises next > > month, we might decide not to bother with an advisory. > > > > I'd be interested to hear opinions from the FreeBSD community about > > whether this sort of issue is one which anyone really cares about. > > > > Colin Percival > > FreeBSD Security Officer > > Sure, and if you can read raw disk devices you can > read /etc/master.passwd and /etc/group....and if you can do that then > it's trivial to break the passwords you need to su to someone in > wheel and then su to root. > > I guess my point is someone in the operator group has a far easier way > to gain root than this vuln. True, but only in the default configuration. The reading of raw disk devices really is controlled by filesystem privileges: # ls -l /dev/ad4 crw-r----- 1 root operator 0, 84 Dec 6 08:50 /dev/ad4 So you could for example remove the read bit for operators on some devices, while still allowing them to dump/backup some other specific devices. This isn't the case for kmem: # ls -l /dev/kmem crw-r----- 1 root kmem 0, 25 Dec 6 08:50 /dev/kmem In my opinion that makes this a bug and a security issue. Ruben de Groot