From owner-freebsd-security Thu Aug 26 11:53:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from furbie.euronet.nl (furbie.euronet.nl [194.134.32.150]) by hub.freebsd.org (Postfix) with ESMTP id D9A02152D1 for ; Thu, 26 Aug 1999 11:53:20 -0700 (PDT) (envelope-from beng@furbie.euronet.nl) Received: (from beng@localhost) by furbie.euronet.nl (8.9.3/8.9.3) id SAA04153 for freebsd-security@freebsd.org; Thu, 26 Aug 1999 18:51:24 GMT (envelope-from beng) Date: Thu, 26 Aug 1999 20:51:24 +0200 From: Ben Gras To: freebsd-security@freebsd.org Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] Message-ID: <19990826205124.A3588@euronet.nl> References: <19990826094910.F20512@forty-two.egroups.net> <199908261704.LAA65785@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.5i In-Reply-To: <199908261704.LAA65785@harmony.village.org>; from Warner Losh on Thu, Aug 26, 1999 at 11:04:07AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, On Thu, Aug 26, 1999 at 11:04:07AM -0600, Warner Losh wrote: > In message <19990826094910.F20512@forty-two.egroups.net> Gregory Sutter writes: > : This claims to describe a FreeBSD root exploit, and was just posted > : to BugTraq. > Thanks. They said they weren't goin to post this for a few more > days... Grump. First of all: a fix for this (AFAICS), and good practice regardless, is to set kern.corefile to something where this kind of fiddling can't happen. A nice example is a variation of what's in the source: /var/cores/%U/%N-%P. This could be done along with a # mkdir -m 755 /var/cores # cd /var/cores && \ for i in `awk -F: '{ print $3 }' /etc/passwd` do mkdir -m 700 $i && chown $i $i || echo $i failed done and a hook in adduser/rmuser perhaps. The above should be done for every possible root, i.e., also for e.g. chrooted ftpd and httpd. /var/cores is used instead of /cores because you don't want users to be able to write on /, and /var/tmp is often user-writable anyway (as always, tune to meet local needs). If you want cores to work if /var isn't mounted, create a /var/cores on / and do the above there too (it might be useful one day). This provides a lot more security against core files lying around, or, in this case, being dumped where they shouldn't be, and eliminates this class of weakness. I'll mail my patch for sysctls for cores-are-created-when-written-at-all (a la O_CREAT | O_EXCL) and symlinks-aren't-followed-on-cores on 3.2-R to Warner. Unforunately this had to be (well, without further kludging) hard-wired into the various core dumping functions (elf, aout; fortunately the linux code shares these functions and there's no COFF coredumping function). Regards, =Ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message