From owner-freebsd-security  Mon Oct  4  5:33:52 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mailer.progressive-comp.com (docs3.abcrs.com [207.98.221.222])
	by hub.freebsd.org (Postfix) with ESMTP id CB5CC14EE3
	for <freebsd-security@FreeBSD.ORG>; Mon,  4 Oct 1999 05:33:47 -0700 (PDT)
	(envelope-from freebsd-security@progressive-comp.com)
Received: (from docs@localhost)
	by mailer.progressive-comp.com with œ id IAA14566; Mon, 4 Oct 1999 08:26:04 -0400
Date: Mon, 4 Oct 1999 08:26:04 -0400
From: freebsd-security@progressive-comp.com
Message-Id: <199910041226.IAA14566@mailer.progressive-comp.com>
Reply-To: Hank Leininger <hlein@progressive-comp.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
X-Shameless-Plug: Check out http://www.progressive-comp.com/Lists/
X-Warning: This mail posted via a web gateway at www.progressive-comp.com
X-Warning: Report any violation of list policy to abuse@progressive-comp.com
X-Posted-By: Hank Leininger <hlein@progressive-comp.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 1999-10-02, "Michael Bryan" <fbsd-security@ursine.com> wrote:


> On 9/29/99 at 10:01 PM Warner Losh wrote:
> > 
> > FreeBSD should follow symlinks.  In fact in the base system we have
> > /dev/log which points to /var/run/log.

> Would it make sense to have the following behaviour when bind()
> encounters a symlink?

>     1)  If a symlink exists and points to a valid Unix-domain
>         socket, go ahead and follow the link.

>     2)  If a symlink points to something other than a valid
>         Unix-domain socket, including a filename that does
>         not yet exist, then do not follow the symlink, and
>         return an appropriate error.

> This still allows /dev/log -> /var/run/log to work, but prevents
> abuse in cases of poor code like in ssh.

Hm, or more generally, modify the kernel such that no symlink in a world-
writeable and/or +t directory will be followed by a process unless it is
owned by root or the UID/EUID of the process.  This is what Solar
Designer's patches for Linux have done for some time now.  It seems to
break little (nothing, except POSIX? ;) and is quite effective.  SolarD's
patches are at http://www.openwall.com/, but here's the appropriate snippet
as a teaser, since code (albeit linux-specific, of course) speaks louder
than words:

in fs/namei.c:follow_link():

+#ifdef CONFIG_SECURE_LINK
+/*
+ * Don't follow links that we don't own in +t directories, unless the link
+ * is owned by root.
+ */
+	if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) &&
+	    inode->i_uid &&
+	    current->fsuid != inode->i_uid) {
+		security_alert("not followed symlink of %d.%d "
+			"by UID %d, EUID %d, process %s:%d",
+			"symlinks not followed",
+			inode->i_uid, inode->i_gid,
+			current->uid, current->euid,
+			current->comm, current->pid);
+		iput(dir);
+		iput(inode);
+		*res_inode = NULL;
+		return -EPERM;
+	}
+#endif

--
Hank Leininger <hlein@progressive-comp.com> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message