From owner-freebsd-security  Wed Nov  3 15:17: 0 1999
Delivered-To: freebsd-security@freebsd.org
Received: from alive.znep.com (alive.znep.com [207.167.15.58])
	by hub.freebsd.org (Postfix) with ESMTP id E3AF31557D
	for <freebsd-security@FreeBSD.ORG>; Wed,  3 Nov 1999 15:16:38 -0800 (PST)
	(envelope-from marcs@znep.com)
Received: from localhost (marcs@localhost)
	by alive.znep.com (8.9.3/8.9.1) with ESMTP id QAA03150;
	Wed, 3 Nov 1999 16:16:16 -0700 (MST)
	(envelope-from marcs@znep.com)
Date: Wed, 3 Nov 1999 16:16:16 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Examining FBSD set[ug]ids and their use
In-Reply-To: <Pine.BSF.3.96.991103122522.35508K-100000@fledge.watson.org>
Message-ID: <Pine.BSF.4.20.9911031603560.89877-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 3 Nov 1999, Robert Watson wrote:

> Same goes for man -- /usr/bin/man is owned by uid man, so anyone who
> breaks the manpage sandbox can modify it, and abscond with the privileges

No they can't.  It is schg for this very reason.  Not the best solution,
but it works.  

man did have numerous security holes that let you easily compromise the
man uid and then replace the binary, but the known ones (ie. the ones I
found and maybe a couple more) were fixed in... 1996 at thet same time it
was made immutable.

> of any user running man.  Man should really use a gid, not a uid, so that
> the man binary doesn't have to by writable by the sandbox.  Or
> alternatively, we should throw away caching since our machines are getting
> so fast :-).  There are no doubt others, of course, but the traditional
> flaw here is that setuid binaries have to be owned by the account they
> switch to, making them a poor choice for a sandbox.  Really the binary
> switching to the sandbox should not be modifiable by code running in the
> sandbox.  setgid doesn't fix that entirely because it doesn't handle the
> sandbox the same way, but...

setgid introduces the problem that then the user running it has
permissions to modify the generated file.  This is _not_ desirable.

The alternative is a setuid root program that setuid()s to the appropriate
uid then executes the program.  Then no code that is executed has to be
modifiable by that uid.  There are still potential issues with that
though.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message