From owner-freebsd-hackers@FreeBSD.ORG Thu Jun 1 12:49:28 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D92A16A442 for ; Thu, 1 Jun 2006 12:49:28 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from fw.zoral.com.ua (ll-227.216.82.212.sovam.net.ua [212.82.216.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FEFB43D48 for ; Thu, 1 Jun 2006 12:49:25 +0000 (GMT) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by fw.zoral.com.ua (8.13.4/8.13.4) with ESMTP id k51CnJA1025775 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 1 Jun 2006 15:49:19 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.13.6/8.13.6) with ESMTP id k51CnJH5099096 for ; Thu, 1 Jun 2006 15:49:19 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.13.6/8.13.6/Submit) id k51CnIn4099095 for freebsd-hackers@freebsd.org; Thu, 1 Jun 2006 15:49:18 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 1 Jun 2006 15:49:18 +0300 From: Kostik Belousov To: freebsd-hackers@freebsd.org Message-ID: <20060601124918.GA51393@deviant.kiev.zoral.com.ua> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: ClamAV version 0.88.2, clamav-milter version 0.88.2 on fw.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on fw.zoral.com.ua Subject: recent vixie cron vulnerability X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jun 2006 12:49:29 -0000 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There was recent discovery of the problem in the vixie cron job execution, see http://www.securityfocus.com/bid/18108/ and https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D178431 The hole exists because calls to the setuid(2) goes unchecked for errors. At first look, the issue seems to be irrelevant to the FreeBSD, because, in absence of mac(9), setuid(2) and similar calls can fail only for non-root user. But, if mac is present, then the setuid(2) could fail, and our version 3.0 cron will execute user job with zero uid as well. To trick the cron into the problem, some mac policy shall be present in the kernel that would fail setuid() call for some reasons. Do you consider this important enough to justify the patch ? Index: cron/do_command.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/do_command.c,v retrieving revision 1.23 diff -u -r1.23 do_command.c --- cron/do_command.c 24 Aug 2005 17:51:36 -0000 1.23 +++ cron/do_command.c 1 Jun 2006 12:47:31 -0000 @@ -245,12 +245,29 @@ /* set our directory, uid and gid. Set gid first, * since once we set uid, we've lost root privledges. */ - setgid(e->gid); + if (setgid(e->gid) !=3D 0) { + log_it(usernm,getpid(),"error","setgid failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } # if defined(BSD) - initgroups(usernm, e->gid); + if (initgroups(usernm, e->gid) !=3D 0) { + log_it(usernm,getpid(),"error","initgroups failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } =09 # endif - setlogin(usernm); - setuid(e->uid); /* we aren't root after this..*/ + if (setlogin(usernm) !=3D 0) { + log_it(usernm,getpid(),"error","setlogin failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } + if (setuid(e->uid) !=3D 0) { + log_it(usernm,getpid(),"error","setuid failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } + /* we aren't root after this..*/ #if defined(LOGIN_CAP) } if (lc !=3D NULL) Index: cron/popen.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/popen.c,v retrieving revision 1.12 diff -u -r1.12 popen.c --- cron/popen.c 6 Feb 2002 02:00:07 -0000 1.12 +++ cron/popen.c 1 Jun 2006 12:47:31 -0000 @@ -175,12 +175,21 @@ /* set our directory, uid and gid. Set gid first, * since once we set uid, we've lost root privledges. */ - setgid(e->gid); + if (setgid(e->gid) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ # if defined(BSD) - initgroups(usernm, e->gid); + if (initgroups(usernm, e->gid) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ # endif - setlogin(usernm); - setuid(e->uid); /* we aren't root after this..*/ + if (setlogin(usernm) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ + if (setuid(e->uid) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ + /* we aren't root after this..*/ #if defined(LOGIN_CAP) } if (lc !=3D NULL) --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEfuJNC3+MBN1Mb4gRAmfbAJ4u0dBSpOHnMQXSrXRq5NNpGjv6EwCgqBFy wfBYjvA0nLDNo3EqEh5Y7ZI= =w4KY -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS--