From owner-freebsd-security Thu Dec 16 12:44:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id D85B915662; Thu, 16 Dec 1999 12:44:49 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40321>; Fri, 17 Dec 1999 07:35:04 +1100 Content-return: prohibited Date: Fri, 17 Dec 1999 07:43:29 +1100 From: Peter Jeremy Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) In-reply-to: ; from robert@cyrus.watson.org on Fri, Dec 17, 1999 at 05:56:26AM +1100 To: Robert Watson Cc: freebsd-security@FreeBSD.ORG, asami@FreeBSD.ORG Message-Id: <99Dec17.073504est.40321@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0i Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8BIT References: <14425.12637.308602.637788@anarcat.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've copied to Asami-san since I believe his input is critical to any changes to the ports mechanism. On 1999-Dec-17 05:56:26 +1100, Robert Watson wrote: >Yup, it's déjà vu all over again. If you want a heavy-handed security >approach, here's how you do it. Define two new Makefile ports variables: > >HAS_MISC_SET_ID= {yes,no} >HAS_ROOT_SETUID= {yes,no} I think `MISC' is too general. I'd split it into `games' (since there seems to be a general concensus that setuid-games is the least unsavoury way to handle machine-wide high-scores files) and `misc' (in case a game wants to be setuid something else - though I can't think of any justification for other UIDs). We also need an `unsafe' marker to support the install alarms. How about adding the following as well: HAS_GAMES_SETUID= {yes,no} IS_UNSAFE= {yes,no,maybe} >Starting today, warn all ports maintainers that their ports must (ideally >correctly) define these variables for all of their ports. The middle of a ports freeze is a bad time for this. (Though, if the infrastructure was ready at the end of the ports freeze, it would make a clear transition point). > In two weeks, >any port that doesn't define both variables is marked as broken. Two weeks might be a bit short. I don't believe there's any pressing need for this (the critical deadline to meet would be the next CD-ROM pressing - which is now several months off). I would think that a month might be better (Asami-san would have a better idea of a reasonable period). >We then have an effective and mandated list of ports making use of set?id >binaries. Each one of these ports undergoes a security view by the >auditing team--not to fix bugs, just to identify whether the source code >is prone to bugs (extensive use of string functions in unsafe ways, etc) >-- a twenty minute thing. Doesn't this just build a false sense of security? A guick-and-dirty review is guaranteed to miss things (or rather, miss more things than a thorough review), as well as generate lots of false positives. How do you placate a developer/maintainer whose cherished port has been unjustly given an "unsafe" tag because the reviewer couldn't spend the time to confirm that every code path into a potentially unsafe function included the validation necessary to make the function safe? How do we respond to the (inevitable) BUGTRAQ posts which state that `the FreeBSD Security Auditing Team gave the program a clean bill of health but missed the following security hole ...'? Lest the above sound too negative, I think Robert's approach is a good idea. I'm just not sure about the details. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message