From owner-freebsd-security@FreeBSD.ORG Fri Dec 17 15:36:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE47E16A4CE for ; Fri, 17 Dec 2004 15:36:33 +0000 (GMT) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 628C943D5E for ; Fri, 17 Dec 2004 15:36:33 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.12.11/8.13.1) with ESMTP id iBHFaUZn081485 for ; Fri, 17 Dec 2004 10:36:30 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.11/8.13.1/Submit) id iBHFaTqi081484 for freebsd-security@freebsd.org; Fri, 17 Dec 2004 10:36:29 -0500 (EST) (envelope-from bv) Date: Fri, 17 Dec 2004 10:36:29 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20041217153629.GD68582@wjv.com> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <20041217150324.GE1331@cowbert.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041217150324.GE1331@cowbert.net> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.6i X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,URIBL_SBL autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bilver.wjv.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 15:36:34 -0000 "Ang utong ko ay sasabog sa sarap!" exclaimed Peter C. Lai while reading this message on Fri, Dec 17, 2004 at 10:03 and then responded with: > I thought on BSD, there was no distinction between euid and uid. If you login > as user 'foo', and su to 'bar', your uid is bar and you gain all of "bar"'s > privs. > And why should it be that way? It seems that in this day of security this isn't the most securre way of doing things. I never did get an answer in the past as to why this is still being done this way. You explanation is exactly the way it work, and it just seems wrong to me. > On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote: > > > Message: 1 > > > Date: Thu, 16 Dec 2004 20:31:05 +0800 > > > From: Ganbold > > > Subject: Strange command histories in hacked shell server > > > > Just a minor comment on one portion of your message. > > > > [All deleted except the pertinent part - wjv] > > > > > Machine is configured in such way that everyone can create an account itself. > > > Some user dir permissions: > > > ... > > > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > > > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > > > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > > > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > > > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > > > ... > > > User should log on as new with password new to create an account. > > > > > Accounting is enabled and kern.securelevel is set to 2. Only one > > > account 'tsgan' is in wheel group and only tsgan gan become root > > > using su. > > > > I've asked others before and never got a real answer on the design > > of 'su' which to my way of thinking has a security hold that shold > > be fixed. > > > > su checks the EUID of the user to see if they are in 'wheel' to > > enable them to su to root. It would seem to me it should > > use the UID. > > > > In your case if the 'tsgan' account does not have a secure > > password, and some breaches the 'tsgan' account in any manner, such > > as a SUID tsgan as I see it, then that user who cracked the 'tsgan' > > account can su to root. > > > > So in your case there is the possibility that someone else > > su'ed to 'tsgan' and then su'ed to root. > > > > Can anyone explain why su does not use the UID from the login > > instead of the EUID ? It strikes me as a security hole, but I'm no > > security expert so explanations either way would be welcomed. > > > > Bill > > > > > > -- > > Bill Vermillion - bv @ wjv . com > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology > Yale University School of Medicine > SenseLab | Research Assistant > http://cowbert.2y.net/ > -- Bill Vermillion - bv @ wjv . com