From owner-freebsd-security Thu Aug 30 22:10:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from postal.admin.gil.com.au (postal.admin.gil.com.au [202.47.47.23]) by hub.freebsd.org (Postfix) with ESMTP id EE0D337B403 for ; Thu, 30 Aug 2001 22:10:04 -0700 (PDT) (envelope-from GHollings@admin.gil.com.au) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Broken SU X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Fri, 31 Aug 2001 15:06:30 +1000 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Broken SU Thread-Index: AcEx2rJjOYQEmwOORHiJAnE8VJsKaw== From: "Glen Hollings" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone ever experenced a broken SU command? I cant seem to SU to root when logged in as any 'normal' user.... eg normuser@bsdbox normuser]$su -m Password: (stalls after this) Or if I put in the wrong password normuser@bsdbox normuser]$su -m Password: Sorry (stalls after this) it does this... putting sshd into debug mode doesnt seem to reveal anything of use.. Here is an strace output of an attempted su: $strace su execve("/usr/bin/su", ["su"], [/* 20 vars */]) =3D 0 __sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) =3D 0 mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =3D 0x4005e000 geteuid(0xbfbffc1c) =3D 0 getuid() =3D 1002 (euid 0) open("/var/run/ld-elf.so.hints", O_RDONLY) =3D 3 read(3, "Ehnt\1\0\0\0\200\0\0\0(\0\0\0\0\0\0\0\'\0\0\0\0\0\0\0\0"..., = 128) =3D 128 lseek(3, 128, SEEK_SET) =3D 128 read(3, "/usr/lib:/usr/lib/compat:/usr/lo"..., 40) =3D 40 close(3) =3D 0 access("/usr/lib/libutil.so.3", F_OK) =3D 0 open("/usr/lib/libutil.so.3", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D32848, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0h#\0\000"..., = 4096) =3D 4096 mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40066000 mmap(0x4006e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7000) =3D 0x4006e000 close(3) =3D 0 access("/usr/lib/libskey.so.2", F_OK) =3D 0 open("/usr/lib/libskey.so.2", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D24252, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0008\23\0"..., = 4096) =3D 4096 mmap(0, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x4006f000 mmap(0x40073000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x3000) =3D 0x40073000 close(3) =3D 0 access("/usr/lib/libmd.so.2", F_OK) =3D 0 open("/usr/lib/libmd.so.2", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D34272, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\17\0\000"..., = 4096) =3D 4096 mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40076000 mmap(0x4007e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7000) =3D 0x4007e000 close(3) =3D 0 access("/usr/lib/libcrypt.so.2", F_OK) =3D 0 open("/usr/lib/libcrypt.so.2", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D28588, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\16"..., = 4096) =3D 4096 mmap(0, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x4007f000 mmap(0x40086000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x6000) =3D 0x40086000 mmap(0x40087000, 69632, PROT_READ|PROT_WRITE, = MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) =3D 0x40087000 close(3) =3D 0 access("/usr/lib/libc.so.4", F_OK) =3D 0 open("/usr/lib/libc.so.4", O_RDONLY) =3D 3 fstat(3, {st_mode=3DS_IFREG|0444, st_size=3D572588, ...}) =3D 0 read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\314-\1"..., = 4096) =3D 4096 mmap(0, 622592, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =3D 0x40098000 mmap(0x40118000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x7f000) =3D 0x40118000 mmap(0x4011c000, 81920, PROT_READ|PROT_WRITE, = MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) =3D 0x4011c000 close(3) =3D 0 access("/usr/lib/libcrypt.so.2", F_OK) =3D 0 access("/usr/lib/libmd.so.2", F_OK) =3D 0 sigaction(SIGILL, {0x4004f0fc, [], 0}, {SIG_DFL}) =3D 0 sigprocmask(SIG_BLOCK, NULL, []) =3D 0 sigaction(SIGILL, {SIG_DFL}, NULL) =3D 0 sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) =3D 0 sigprocmask(SIG_SETMASK, [], NULL) =3D 0 readlink("/etc/malloc.conf", 0xbfbff6f4, 63) =3D -1 ENOENT (No such file = or directory) mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) =3D = 0x40130000 break(0x804d000) =3D 0 getpriority(PRIO_PROCESS, 0) =3D 0 setpriority(PRIO_PROCESS, 0, -2) =3D 0 getuid() =3D 1002 (euid 0) getlogin(0x401203f8, 0x11) =3D 0 geteuid(0x4011b304) =3D 0 break(0x804e000) =3D 0 stat("/etc/spwd.db", {st_mode=3DS_IFREG|0600, st_size=3D40960, ...}) =3D = 0 open("/etc/spwd.db", O_RDONLY) =3D 3 fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0 read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., = 260) =3D 260 break(0x804f000) =3D 0 break(0x8050000) =3D 0 break(0x8051000) =3D 0 lseek(3, 28672, SEEK_SET) =3D 28672 read(3, "\30\0\373\17\302\17\275\17r\17l\17$\17\37\17\344\16\337"..., = 4096) =3D 4096 break(0x8052000) =3D 0 close(3) =3D 0 geteuid(0x4011b304) =3D 0 stat("/etc/spwd.db", {st_mode=3DS_IFREG|0600, st_size=3D40960, ...}) =3D = 0 open("/etc/spwd.db", O_RDONLY) =3D 3 fcntl(3, F_SETFD, FD_CLOEXEC) =3D 0 read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., = 260) =3D 260 break(0x8053000) =3D 0 lseek(3, 24576, SEEK_SET) =3D 24576 read(3, "\26\0\373\17\301\17\272\17i\17d\17\23\17\n\17\321\16\314"..., = 4096) =3D 4096 close(3) =3D 0 geteuid(0x4006e3bc) =3D 0 getegid(0x4006e3bc) =3D 1002 setegid(0Password: anyone have any ideas?? please! Thanks ********************************************** *Glen Hollings | There Cant Be * *Network Administrator | a Crisis Today,* *Global Info Links | my schedule is * *ghollings@admin.gil.com.au | already full. * ********************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message