Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Aug 2010 00:53:24 +0700
From:      Eugene Grosbein <eugen@eg.sd.rdtc.ru>
To:        Dag-Erling Sm??rgrav <des@des.no>
Cc:        freebsd-security@freebsd.org, Przemyslaw Frasunek <przemyslaw@frasunek.com>
Subject:   Re: ~/.login_conf mechanism is flawed
Message-ID:  <20100810175323.GA63364@rdtc.ru>
In-Reply-To: <86fwym32fn.fsf@ds4.des.no>
References:  <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com> <4C611FA9.6070409@frasunek.com> <86fwym32fn.fsf@ds4.des.no>
index | next in thread | previous in thread | raw e-mail 

On Tue, Aug 10, 2010 at 05:36:12PM +0200, Dag-Erling Sm??rgrav wrote:

> >  41513 ftpd     CALL  seteuid(0xbb8)
> >  41513 ftpd     RET   seteuid 0
> >  41513 ftpd     NAMI  "/home/venglin/.login_conf"
> >  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
> >  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
> 
> login_getclassbyname() temporarily drops privs while reading the user's
> .login_conf, because the user's ~ may be on (for instance) an NFS mount
> with -maproot=nobody.
> 
> Janne's mistake is to assume that reading == processing.
> 
> However, he is correct in that in the event of an exploitable code
> injection vulnerability in the code that *reads* the file, the injected
> code can easily reacquire root privs.
> 
> There is a different issue documented in PR bin/141840 which results in
> the user's resource limits being processed *with* root privs in certain
> circumstances.  It so happens that in FreeBSD, those circumstances only
> arise in OpenSSH.  This does not mean that the bug is in OpenSSH; it's
> in setusercontext(3), which makes unwarranted assumptions about how it
> is being called.
> 
> Unfortunately, that PR arrived at a time when so@ was busy with far more
> important issues, and it fell through the cracks.
> 
> The good news is that the the only settings that can be overridden in
> this manner are resource limits and the CPU mask.

There is another issue in stock ftpd and usercontext,
see PR http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/143570
which contains trivial patch.

Eugene Grosbein
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100810175323.GA63364>