From owner-freebsd-hackers Tue Nov 17 14:11:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA25418 for freebsd-hackers-outgoing; Tue, 17 Nov 1998 14:11:52 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from mx1.dmz.fedex.com (mx1.dmz.fedex.com [199.81.194.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA25387; Tue, 17 Nov 1998 14:11:36 -0800 (PST) (envelope-from wam@mohawk.dpd.fedex.com) Received: from mx2.zmd.fedex.com (sendmail@mx2.zmd.fedex.com [199.82.159.11]) by mx1.dmz.fedex.com (8.9.1/8.9.1) with ESMTP id QAA15750; Tue, 17 Nov 1998 16:11:10 -0600 (CST) Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17]) by mx2.zmd.fedex.com (8.9.1/8.9.1) with ESMTP id QAA21162; Tue, 17 Nov 1998 16:11:05 -0600 (CST) Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121]) by s07.sa.fedex.com (8.9.1/8.9.1) with SMTP id QAA09047; Tue, 17 Nov 1998 16:11:04 -0600 (CST) Message-Id: <199811172211.QAA09047@s07.sa.fedex.com> To: Mikael Karpberg cc: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Date: Tue, 17 Nov 1998 16:10:32 -0600 From: William McVey Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mikael Karpberg wrote: >Umm... I have seen no one in this discussion mention this, so I'll say it, >after repeating what someone DID say "Small well audited setuid programs >are not a problem". Now... Here's my suggestion, my_xlock.c: > [code for my_xlock.c deleted] >Seems simple enough to me, and could be used from scripts and everything. >All you need is a small util (/usr/bin/check_pw) that is setuid root. I believe this all started with the realization that setuid root shouldn't be needed to verify passwords. A dedicated group could be created for this task which would be limited to only having read access to the shadow file. The proposed group 'shadow', and the associated changes to the getpw* functions (a 3-4 line source code change which I've already sent out to freebsd-security) would eliminate check_pw's need to be setuid root. This would limit the exposure of its buffer overflow(*) to a less harmfull set of privileges. Again, I'm not denying that xlock and friends can be replaced with something more secure. I'm saying that whatever method is used to check passwords for screen locking programs doesn't *NEED* root if the system's getpwnam (and friends) uses the file permissions on /etc/spwd.db as the criteria for access, rather than simply checking "am I root". -- William * The buffer overflow occurs if the input does not contain space characters. I don't think it can be exploited to smash the stack (since the buffer is limited to 100 characters); however, I do know that if this program were setuid root, it could be used to write a null on a piece of memory it shouldn't be able to write on. If the program were setgid to group 'shadow' it wouldn't be able to write on the memory (since that is "privilege" granted only to root). >int main() { > char buffer[100]; > struct passwd *pw; > uind_t uid; > char *str; > char *setting; > fgets(buffer, sizeof buffer, stdin); > if (isdigit(buffer[0])) { > uid = strtol(buffer, &str, 0); > if (!*str) > exit(1); > pw = getpwuid(uid); > } else { > while (!isspace(*str)) > str++; /* Zoom!!! right off the end of the string, if there were no spaces in * the user input (isspace(3) doesn't return true on nulls). */ > if (!*str) > exit(1); > *str = '\0'; /* If I'm root, this would have just scribbled a \0 someplace in memory. * If I'm setgid to group shadow, it would cause a SIGV. Which would * *you* prefer? */ > pw = getpwnam(buffer); > } > str++; > setting = get_setting_and_move_str(&str); > if (strcmp(pw->pw_passwd, crypt(str, setting)) == 0) > return 0; > return 1; >} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message