From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 18:13:39 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B1A2106566C for ; Tue, 10 Aug 2010 18:13:39 +0000 (UTC) (envelope-from eugen@eg.sd.rdtc.ru) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [62.231.161.221]) by mx1.freebsd.org (Postfix) with ESMTP id 891E58FC14 for ; Tue, 10 Aug 2010 18:13:38 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.4/8.14.4) with ESMTP id o7AHrOvw064366; Wed, 11 Aug 2010 00:53:24 +0700 (NOVST) (envelope-from eugen@eg.sd.rdtc.ru) Received: (from eugen@localhost) by eg.sd.rdtc.ru (8.14.4/8.14.4/Submit) id o7AHrOPr064365; Wed, 11 Aug 2010 00:53:24 +0700 (NOVST) (envelope-from eugen) Date: Wed, 11 Aug 2010 00:53:24 +0700 From: Eugene Grosbein To: Dag-Erling Sm??rgrav Message-ID: <20100810175323.GA63364@rdtc.ru> References: <4C611FA9.6070409@frasunek.com> <86fwym32fn.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86fwym32fn.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i X-Mailman-Approved-At: Tue, 10 Aug 2010 18:26:40 +0000 Cc: freebsd-security@freebsd.org, Przemyslaw Frasunek Subject: Re: ~/.login_conf mechanism is flawed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 18:13:39 -0000 On Tue, Aug 10, 2010 at 05:36:12PM +0200, Dag-Erling Sm??rgrav wrote: > > 41513 ftpd CALL seteuid(0xbb8) > > 41513 ftpd RET seteuid 0 > > 41513 ftpd NAMI "/home/venglin/.login_conf" > > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > > login_getclassbyname() temporarily drops privs while reading the user's > .login_conf, because the user's ~ may be on (for instance) an NFS mount > with -maproot=nobody. > > Janne's mistake is to assume that reading == processing. > > However, he is correct in that in the event of an exploitable code > injection vulnerability in the code that *reads* the file, the injected > code can easily reacquire root privs. > > There is a different issue documented in PR bin/141840 which results in > the user's resource limits being processed *with* root privs in certain > circumstances. It so happens that in FreeBSD, those circumstances only > arise in OpenSSH. This does not mean that the bug is in OpenSSH; it's > in setusercontext(3), which makes unwarranted assumptions about how it > is being called. > > Unfortunately, that PR arrived at a time when so@ was busy with far more > important issues, and it fell through the cracks. > > The good news is that the the only settings that can be overridden in > this manner are resource limits and the CPU mask. There is another issue in stock ftpd and usercontext, see PR http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/143570 which contains trivial patch. Eugene Grosbein