Date: Tue, 17 Nov 1998 16:10:32 -0600 From: William McVey <wam@sa.fedex.com> To: Mikael Karpberg <karpen@ocean.campus.luth.se> Cc: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <199811172211.QAA09047@s07.sa.fedex.com>
next in thread | raw e-mail | index | archive | help
Mikael Karpberg wrote:
>Umm... I have seen no one in this discussion mention this, so I'll say it,
>after repeating what someone DID say "Small well audited setuid programs
>are not a problem". Now... Here's my suggestion, my_xlock.c:
> [code for my_xlock.c deleted]
>Seems simple enough to me, and could be used from scripts and everything.
>All you need is a small util (/usr/bin/check_pw) that is setuid root.
I believe this all started with the realization that setuid root
shouldn't be needed to verify passwords. A dedicated group could
be created for this task which would be limited to only having read
access to the shadow file. The proposed group 'shadow', and the
associated changes to the getpw* functions (a 3-4 line source code
change which I've already sent out to freebsd-security) would
eliminate check_pw's need to be setuid root. This would limit the
exposure of its buffer overflow(*) to a less harmfull set of
privileges. Again, I'm not denying that xlock and friends can be
replaced with something more secure. I'm saying that whatever
method is used to check passwords for screen locking programs
doesn't *NEED* root if the system's getpwnam (and friends) uses
the file permissions on /etc/spwd.db as the criteria for access,
rather than simply checking "am I root".
-- William
* The buffer overflow occurs if the input does not contain space
characters. I don't think it can be exploited to smash the stack
(since the buffer is limited to 100 characters); however, I do know
that if this program were setuid root, it could be used to write
a null on a piece of memory it shouldn't be able to write on. If
the program were setgid to group 'shadow' it wouldn't be able to
write on the memory (since that is "privilege" granted only to
root).
>int main() {
> char buffer[100];
> struct passwd *pw;
> uind_t uid;
> char *str;
> char *setting;
> fgets(buffer, sizeof buffer, stdin);
> if (isdigit(buffer[0])) {
> uid = strtol(buffer, &str, 0);
> if (!*str)
> exit(1);
> pw = getpwuid(uid);
> } else {
> while (!isspace(*str))
> str++;
/* Zoom!!! right off the end of the string, if there were no spaces in
* the user input (isspace(3) doesn't return true on nulls).
*/
> if (!*str)
> exit(1);
> *str = '\0';
/* If I'm root, this would have just scribbled a \0 someplace in memory.
* If I'm setgid to group shadow, it would cause a SIGV. Which would
* *you* prefer?
*/
> pw = getpwnam(buffer);
> }
> str++;
> setting = get_setting_and_move_str(&str);
> if (strcmp(pw->pw_passwd, crypt(str, setting)) == 0)
> return 0;
> return 1;
>}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811172211.QAA09047>