From owner-cvs-all@FreeBSD.ORG  Sun Feb 22 19:49:15 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 466F316A4CE; Sun, 22 Feb 2004 19:49:15 -0800 (PST)
Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net
	[66.166.149.50])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 57C4F43D2F; Sun, 22 Feb 2004 19:49:14 -0800 (PST)
	(envelope-from tim@kientzle.com)
Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged))
	by kientzle.com (8.12.9/8.12.9) with ESMTP id i1N3mrkX089431;
	Sun, 22 Feb 2004 19:48:53 -0800 (PST)
	(envelope-from tim@kientzle.com)
Message-ID: <40397824.3080607@kientzle.com>
Date: Sun, 22 Feb 2004 19:48:52 -0800
From: Tim Kientzle <tim@kientzle.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: David Schultz <das@FreeBSD.ORG>
References: <200402221003.i1MA3PW0024791@repoman.freebsd.org>
	<403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com>
In-Reply-To: <20040223025647.GA43467@VARK.homeunix.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: cvs-src@FreeBSD.ORG
cc: src-committers@FreeBSD.ORG
cc: cvs-all@FreeBSD.ORG
cc: Colin Percival <cperciva@FreeBSD.ORG>
cc: kientzle@acm.org
Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: kientzle@acm.org
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2004 03:49:15 -0000

David Schultz wrote:
> On Sun, Feb 22, 2004, Tim Kientzle wrote:
>>Colin Percival wrote:
>>
>>> Report login attempts to syslog.  Due to the statically-linked nature of
>>> nologin(8) ...
>>
>>Why is nologin statically linked?
> 
> Because of environment-poisoning attacks such as the following:
> 
> 	das@VARK:~> setenv LD_LIBRARY_PATH /home/das/exploit
> 	das@VARK:~> \login -p test
> 
> This attack was executed with a dynamically-linked /sbin/nologin
> and a special libc.so.5 in the /home/das/exploit directory that
> replaces the _exit() stub with a routine that spawns a shell.

Hmmmm....  Several other solutions come immediately to mind:
   * Handle this in pam (or even in login)
     (Just check if the user's shell is /sbin/nologin and
     reject the login if it is.)
   * Install /sbin/nologin setuid nobody or setgid nogroup
     That would disable LD_LIBRARY_PATH processing for it.
   * Have login -p not pass LD_LIBRARY_PATH

Of these, the first is arguably the best, the second easiest
to implement.  The third I'm unsure about; I can't
really picture a scenario where login -p should pass
LD_LIBRARY_PATH, but that's hardly conclusive.

I agree, by the way, that there should be a way to
"mark" a program as ignoring LD_LIBRARY_PATH at
compile-time (other than making it setuid/setgid).

Tim Kientzle