From owner-freebsd-security Sun Nov 15 23:24:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA00675 for freebsd-security-outgoing; Sun, 15 Nov 1998 23:24:38 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA00642 for ; Sun, 15 Nov 1998 23:24:23 -0800 (PST) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail.siemens.de (salomon.siemens.de [139.23.33.13]) by david.siemens.de (8.9.1a/8.9.1) with ESMTP id IAA09711 for ; Mon, 16 Nov 1998 08:16:43 +0100 (MET) Received: from curry.mchp.siemens.de (daemon@curry.mchp.siemens.de [146.180.31.23]) by mail.siemens.de (8.9.1a/8.9.1) with ESMTP id IAA06813 for ; Mon, 16 Nov 1998 08:16:45 +0100 (MET) Received: (from daemon@localhost) by curry.mchp.siemens.de (8.8.8/8.8.8) id IAA15770 for ; Mon, 16 Nov 1998 08:16:45 +0100 (CET) Message-ID: <19981116081640.A2304@internal> Date: Mon, 16 Nov 1998 08:16:40 +0100 From: Andre Albsmeier To: Warner Losh , Andre Albsmeier Cc: Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? References: <19981116072937.E969@internal> <19981115192224.A29686@internal> <19981115161548.A23869@internal> <199811151758.JAA15108@apollo.backplane.com> <19981115192224.A29686@internal> <199811152210.PAA01604@harmony.village.org> <19981116072937.E969@int Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199811160658.XAA01912@harmony.village.org>; from Warner Losh on Sun, Nov 15, 1998 at 11:58:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 15, 1998 at 11:58:02PM -0700, Warner Losh wrote: > In message <19981116072937.E969@internal> Andre Albsmeier writes: > : > Back to the original thread, I'm not sure how making more programs > : > setgid would help system security. Small ones that are easy to audit > : > : Well, if you make it setgid and use 640 on the password file, you > : a) can't write to the pw file directly any more > : b) have to crack the root pw from the still readable pw file in order > : to become root. > : > : Now you are root immediately. > > Now you have to have root in order to get root. /etc/passwd is > readable by everybody, but so what. There are no passwords in it. Of course, I ment "pw file" standing as a synonym for the 600 files in /etc: /etc/spwd.db /etc/master.passwd > The master password file, on the other hand, is readable only by > root. And writeable. > It is true that a stack smashing attack would get you only group pw if > you made this change. Hmmm, that might be worth it. > > : BTW, by examining the xlockmore configure file I found that I am not > : the first one thinking of it: > > Not being the first to think of it doesn't make it right. :-) > > This would plug some potential holes in a small number of > applications. I'm not sure that it is worth it on the effort/return Which security holes do you mean? I thought basically of doing the following: a) invent a new group (e.g. shadow, to stick with xlockmore :-)) b) chgrp shadow /etc/spwd.db /etc/master.passwd c) chmod 640 /etc/spwd.db and /etc/master.passwd mode d) modify programs that write to these files (pwd_mkdb) to conform with b) and c) As far as we are now, I can't see a security hole here. /etc/spwd.db and /etc/master.passwd are now readable by the shadow group as well but up to now, no one runs under this group. Now we modify xlock (or others which are setuid root only in order to access /etc/spwd.db or /etc/master.passwd) in the following way: a) chgrp shadow xlock b) chmod 2111 xlock xlock can now do the same as before: read the encrypted passwords but doens't run as root anymore. Especially xlock is a good candidate since it never gives up it root privileges. -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message