From owner-freebsd-security Thu Dec 16 10:56:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id E562714E99 for ; Thu, 16 Dec 1999 10:56:24 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA28026; Thu, 16 Dec 1999 13:56:26 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Thu, 16 Dec 1999 13:56:26 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Spidey Cc: Warner Losh , Chris England , freebsd-security@FreeBSD.ORG Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) In-Reply-To: <14425.12637.308602.637788@anarcat.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Dec 1999, Spidey wrote: > Yes. Since I've been looking at setuid's on FBSD, my primary concern's > been with the ports. I wished there could be some way to have a > variable in the Makefiles that say "NOSETUID=3DYES". :)) >=20 > We should make a a definite list of all the setuid's in the whole port > tree. Maybe the port maintainers can give a hand? >=20 > Darn.. d=E9j=E0 vu...=20 Yup, it's d=E9j=E0 vu all over again. If you want a heavy-handed security approach, here's how you do it. Define two new Makefile ports variables: HAS_MISC_SET_ID=3D {yes,no} HAS_ROOT_SETUID=3D {yes,no} Starting today, warn all ports maintainers that their ports must (ideally correctly) define these variables for all of their ports. In two weeks, any port that doesn't define both variables is marked as broken. After one week, we introduce a check in the package building procedure that checks for any setuid or setgid binaries in the installed version. If the variable value reported is wrong, the port is marked as broken. We then have an effective and mandated list of ports making use of set?id binaries. Each one of these ports undergoes a security view by the auditing team--not to fix bugs, just to identify whether the source code is prone to bugs (extensive use of string functions in unsafe ways, etc) -- a twenty minute thing. If it's found to be unsafe, the port is marked as unsafe, meaning that packages are not autobuilt for it, and that a user attempting to install the port is *loudly* warned that the code is unsafe, and they must confirm the install by using make unsafe-install. That's heavy-handed security for you: mandate identification of problems and correctness. This doesn't address daemons (imapd, etc) that also run privileged, but is a good first step. Robert N M Watson=20 robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message