Date: Thu, 16 Dec 1999 13:56:26 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Spidey <beaupran@iro.umontreal.ca> Cc: Warner Losh <imp@village.org>, Chris England <cengland@obscurity.org>, freebsd-security@FreeBSD.ORG Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) Message-ID: <Pine.BSF.3.96.991216135055.26813G-100000@fledge.watson.org> In-Reply-To: <14425.12637.308602.637788@anarcat.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Dec 1999, Spidey wrote:
> Yes. Since I've been looking at setuid's on FBSD, my primary concern's
> been with the ports. I wished there could be some way to have a
> variable in the Makefiles that say "NOSETUID=3DYES". :))
>=20
> We should make a a definite list of all the setuid's in the whole port
> tree. Maybe the port maintainers can give a hand?
>=20
> Darn.. d=E9j=E0 vu...=20
Yup, it's d=E9j=E0 vu all over again. If you want a heavy-handed security
approach, here's how you do it. Define two new Makefile ports variables:
HAS_MISC_SET_ID=3D {yes,no}
HAS_ROOT_SETUID=3D {yes,no}
Starting today, warn all ports maintainers that their ports must (ideally
correctly) define these variables for all of their ports. In two weeks,
any port that doesn't define both variables is marked as broken. After
one week, we introduce a check in the package building procedure that
checks for any setuid or setgid binaries in the installed version. If the
variable value reported is wrong, the port is marked as broken.
We then have an effective and mandated list of ports making use of set?id
binaries. Each one of these ports undergoes a security view by the
auditing team--not to fix bugs, just to identify whether the source code
is prone to bugs (extensive use of string functions in unsafe ways, etc)
-- a twenty minute thing. If it's found to be unsafe, the port is marked
as unsafe, meaning that packages are not autobuilt for it, and that a user
attempting to install the port is *loudly* warned that the code is unsafe,
and they must confirm the install by using make unsafe-install.
That's heavy-handed security for you: mandate identification of problems
and correctness.
This doesn't address daemons (imapd, etc) that also run privileged, but is
a good first step.
Robert N M Watson=20
robert@fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991216135055.26813G-100000>