Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 12 Aug 2010 09:02:19 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        freebsd-security@freebsd.org
Subject:   Re: ~/.login_conf mechanism is flawed
Message-ID:  <201008121302.o7CD2BJv044208@lava.sentex.ca>
In-Reply-To: <alpine.BSF.2.00.1008101503190.96753@tiktik.epipe.com>
References:  <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com> <alpine.BSF.2.00.1008101503190.96753@tiktik.epipe.com>
index | next in thread | previous in thread | raw e-mail 


Are there any other tricks / work around people have implemented ?  MACs ?

         ---Mike


At 11:25 AM 8/10/2010, Janne Snabb wrote:
>On Tue, 10 Aug 2010, Janne Snabb wrote:
>
> > Looks like the per-user login capability database (~/.login_conf,
> > ~/.login_conf.db) functionality is creating a vulnerability.
>
>Attached is a temporary workaround for anyone who is worried about
>this problem. It disables per-user login capability databases
>completely. Only the system wide /etc/login.conf is used. Do not
>apply the patch if you need per-user login capabilities.
>
>This should work on 8.1-RELEASE, most likely on some other releases
>as well. I did not find any references to the evil ~/.login_conf{,.db}
>anywhere else in the source except in lib/libutil/login_cap.c.
>
>1. Save the attached login_cap.c.diff in /tmp
>
>2. cd /usr/src/lib/libutil
>
>3. patch < /tmp/login_cap.c.diff
>
>4. make
>
>5. make install
>
>6. re-start any affected daemons:
>    /etc/rc.d/sshd restart
>    /etc/rc.d/ftpd restart
>
>The relevant files are /lib/libutil.* and /usr/lib/libutil.* if you
>build on one machine and distribute binaries to others. Re-start
>the relevant daemons at each machine after updating the libutil
>libraries.
>
>--
>Janne Snabb / EPIPE Communications
>snabb@epipe.com - http://epipe.com/
>
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008121302.o7CD2BJv044208>