Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Jan 2017 07:13:46 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 216014] /etc/shells security vagueness affecting ports
Message-ID:  <bug-216014-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216014

            Bug ID: 216014
           Summary: /etc/shells security vagueness affecting ports
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: freebsd@phil.spodhuis.org

The shells(5) manpage describes /etc/shells as "a list of the shells on the
system".

The top of /usr/src/etc/shells documents the historical meaning:

    # List of acceptable shells for chpass(1).
    # Ftpd will not allow users to connect who are not using
    # one of these shells.

My recollection is that 20 years ago, it was considered a security flaw for
/etc/shells to list an untrusted shell, as the whole point was to define "i=
f a
user has one of these shells, then they're trusted for local system access".

Indeed, /usr/bin/chpass is setuid-root and uses "ok_shell()" to enforce exa=
ctly
this behavior; so if arbitrary code can be gotten running as uid N, it can
invoke chpass to change shell to any shell listed in /etc/shells, as long as
the current shell is listed in that file too.  Thus providing a privilege
escalation attack.

Yet the standard behavior of Ports is to add _all_ shells, including restri=
cted
shells, to /etc/shells.

    grep '^@shell' /usr/ports/shells/*/pkg-plist

rbash, rzsh, scponly; also devel/git adds libexec/git-core/git-shell too.

Users with any of those should _not_ be able to change their shell.  The on=
ly
reason I can think of to add these shells to /etc/shells is some gateway
software deciding to only allow access if the shell is listed and so reject=
ing
restricted shells ... which is a bug.

So either the description in /usr/src/etc/shells is wrong and chpass is a
security hole, or the man-page shells(5) is wrong and has led to many Ports
being configured to introduce security holes when installed.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-216014-8>