From owner-freebsd-hackers Tue Nov 17 16:47:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA23323 for freebsd-hackers-outgoing; Tue, 17 Nov 1998 16:47:14 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from mx2.dmz.fedex.com (mx2.dmz.fedex.com [199.81.194.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA23293; Tue, 17 Nov 1998 16:46:58 -0800 (PST) (envelope-from wam@mohawk.dpd.fedex.com) Received: from mx2.zmd.fedex.com (sendmail@mx2.zmd.fedex.com [199.82.159.11]) by mx2.dmz.fedex.com (8.9.1/8.9.1) with ESMTP id SAA00739; Tue, 17 Nov 1998 18:46:21 -0600 (CST) Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17]) by mx2.zmd.fedex.com (8.9.1/8.9.1) with ESMTP id SAA05958; Tue, 17 Nov 1998 18:46:20 -0600 (CST) Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121]) by s07.sa.fedex.com (8.9.1/8.9.1) with SMTP id SAA23057; Tue, 17 Nov 1998 18:46:19 -0600 (CST) Message-Id: <199811180046.SAA23057@s07.sa.fedex.com> To: Mikael Karpberg cc: dillon@apollo.backplane.com (Matthew Dillon), hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Date: Tue, 17 Nov 1998 18:45:47 -0600 From: William McVey Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mikael Karpberg wrote: >Yes, check_pw can just as well be setgid shadow. The point is, check_pw >would be very small (well under 100 lines, I'd guess), Agreed. >and should then be possible to make secure enough to run as setuid root. Even if the program is made "secure", I still think it would be assigned an excess of privilege if made setuid root. Again, I'm trying to stay focused on the original suggestion of a new group with read access to the password files and the proposed changes to the getpwent code to base access to the shadowed passwords on file permissions rather than "am I root or not root". >And what's wrong with popen() even if I was? popen (at least historically) passes down environment variables (such as IFS and LD_LIBRARY_PATH) which can cause a program popen()ed by a setuid program (or setgid program for that matter) to run code the author perhaps didn't expect. >Again... I didn't write that piece of code as a suggested code, but more >like a well-written pseudo-code. I think this might have been a mistake. >I should have used less correct c-code. I replied pointing out the bug simply to show that even simple (and apparently correct) programs can have mistakes in them, and to demonstrate what I've been trying to convince people of. A new group for programs like xlock or check_pw to be setgid to would be better than requiring these programs to be setuid root. I'm somewhat new on the security list. What does it take to get changes decided on? Does something like this need 'general consensus and running code' (ala IETF), is something like this voted on, or does someone just go out and do it once they get convinced? >I think you missunderstood something seriously. The process will SEGV >no matter if it's run by root. Root is just like any user, until he >does a system call that requires authentication. Yup. I was mistaken about the scribbling in memory without SEGVing. -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message