From owner-freebsd-security@FreeBSD.ORG Thu Aug 12 13:02:17 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B31010656A5 for ; Thu, 12 Aug 2010 13:02:17 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (unknown [IPv6:2607:f3e0:80:80::2]) by mx1.freebsd.org (Postfix) with ESMTP id 55D868FC1D for ; Thu, 12 Aug 2010 13:02:17 +0000 (UTC) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.14.4/8.14.4) with ESMTP id o7CD2Ckv024674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 12 Aug 2010 09:02:12 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.4/8.14.3) with ESMTP id o7CD2BJv044208 for ; Thu, 12 Aug 2010 09:02:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <201008121302.o7CD2BJv044208@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 12 Aug 2010 09:02:19 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.67 on 205.211.164.50 Subject: Re: ~/.login_conf mechanism is flawed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2010 13:02:17 -0000 Are there any other tricks / work around people have implemented ? MACs ? ---Mike At 11:25 AM 8/10/2010, Janne Snabb wrote: >On Tue, 10 Aug 2010, Janne Snabb wrote: > > > Looks like the per-user login capability database (~/.login_conf, > > ~/.login_conf.db) functionality is creating a vulnerability. > >Attached is a temporary workaround for anyone who is worried about >this problem. It disables per-user login capability databases >completely. Only the system wide /etc/login.conf is used. Do not >apply the patch if you need per-user login capabilities. > >This should work on 8.1-RELEASE, most likely on some other releases >as well. I did not find any references to the evil ~/.login_conf{,.db} >anywhere else in the source except in lib/libutil/login_cap.c. > >1. Save the attached login_cap.c.diff in /tmp > >2. cd /usr/src/lib/libutil > >3. patch < /tmp/login_cap.c.diff > >4. make > >5. make install > >6. re-start any affected daemons: > /etc/rc.d/sshd restart > /etc/rc.d/ftpd restart > >The relevant files are /lib/libutil.* and /usr/lib/libutil.* if you >build on one machine and distribute binaries to others. Re-start >the relevant daemons at each machine after updating the libutil >libraries. > >-- >Janne Snabb / EPIPE Communications >snabb@epipe.com - http://epipe.com/ > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike