Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Aug 1999 20:51:24 +0200
From:      Ben Gras <ben@euro.net>
To:        freebsd-security@freebsd.org
Subject:   Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
Message-ID:  <19990826205124.A3588@euronet.nl>
In-Reply-To: <199908261704.LAA65785@harmony.village.org>; from Warner Losh on Thu, Aug 26, 1999 at 11:04:07AM -0600
References:  <19990826094910.F20512@forty-two.egroups.net> <199908261704.LAA65785@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
All,

On Thu, Aug 26, 1999 at 11:04:07AM -0600, Warner Losh wrote:
 > In message <19990826094910.F20512@forty-two.egroups.net> Gregory Sutter writes:
 > : This claims to describe a FreeBSD root exploit, and was just posted
 > : to BugTraq.
 > Thanks.  They said they weren't goin to post this for a few more
 > days...  Grump.

First of all: a fix for this (AFAICS), and good practice regardless,
is to set kern.corefile to something where this kind of fiddling can't
happen. A nice example is a variation of what's in the source:
/var/cores/%U/%N-%P. 

This could be done along with a
 # mkdir -m 755 /var/cores
 # cd /var/cores && \
   for i in `awk -F: '{ print $3 }' /etc/passwd`
	do mkdir -m 700 $i && chown $i $i || echo $i failed
   done
and a hook in adduser/rmuser perhaps.

The above should be done for every possible root, i.e., also for e.g.
chrooted ftpd and httpd. /var/cores is used instead of /cores because
you don't want users to be able to write on /, and /var/tmp is often
user-writable anyway (as always, tune to meet local needs). If you
want cores to work if /var isn't mounted, create a /var/cores on / and
do the above there too (it might be useful one day).

This provides a lot more security against core files lying around, or, in
this case, being dumped where they shouldn't be, and eliminates this class
of weakness.

I'll mail my patch for sysctls for cores-are-created-when-written-at-all
(a la O_CREAT | O_EXCL) and symlinks-aren't-followed-on-cores on 3.2-R to
Warner. Unforunately this had to be (well, without further kludging)
hard-wired into the various core dumping functions (elf, aout; fortunately
the linux code shares these functions and there's no COFF coredumping
function).

Regards,

	=Ben




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990826205124.A3588>