From owner-cvs-all  Mon Dec 10 23:52:22 2001
Delivered-To: cvs-all@freebsd.org
Received: from mail6.speakeasy.net (mail6.speakeasy.net [216.254.0.206])
	by hub.freebsd.org (Postfix) with ESMTP id 3D1F737B405
	for <cvs-all@FreeBSD.org>; Mon, 10 Dec 2001 23:51:37 -0800 (PST)
Received: (qmail 20415 invoked from network); 11 Dec 2001 07:51:35 -0000
Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender <jhb@FreeBSD.org>)
          by mail6.speakeasy.net (qmail-ldap-1.03) with SMTP
          for <paul@freebsd-services.com>; 11 Dec 2001 07:51:35 -0000
Message-ID: <XFMail.011210235132.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <616630000.1008044969@lobster.originative.co.uk>
Date: Mon, 10 Dec 2001 23:51:32 -0800 (PST)
From: John Baldwin <jhb@FreeBSD.org>
To: Paul Richards <paul@freebsd-services.com>
Subject: Re: cvs commit: src/sys/boot/i386/loader version src/share/examp
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org,
	mini@haikugeek.com, Alfred Perlstein <bright@mu.org>,
	Mike Silbersack <silby@silby.com>, Mike Barcroft <mike@FreeBSD.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On 11-Dec-01 Paul Richards wrote:
> --On Monday, December 10, 2001 22:18:36 -0500 Mike Barcroft
> <mike@FreeBSD.org> wrote:
> 
>> Mike Silbersack <silby@silby.com> writes:
>>> On Mon, 10 Dec 2001, Alfred Perlstein wrote:
>>> 
>>> > > All these loader commits make it possible to overwrite the existing
>>> > contents of > a file on a UFS filesystem.
>>> > 
>>> > Yay!  One "cool" feaure at least from a security standpoint would
>>> > be adding a write once variable to turn this off so that one can't
>>> > use loader to smash /etc/passwd.
>>> > 
>>> > John, or Jonathan... ? any plans on giving this a shot?
>>> > 
>>> > -Alfred
>>> 
>>> Hm, I wonder if write enabling should even be compiled into the loader by
>>> default - I think you're correct in suspecting that changing /etc/passwd
>>> will be the primary use of this feature. :|
>> 
>> Why would someone use this feature to write to the password file, when
>> they can just boot into single user mode and use their favourite
>> editor?
> 
> You need the superuser password to get to single user if the console is
> secure. The loader can be used to circumvent that now.

As someone else has noted, setting your init path to /tmp/mybinary opens your
machine up to root rather trivially, and that doesn't require write access. 
Note that we don't prevent doing 'more /etc/master.passwd' with which one can
then run crack against the root password or some other utility.  The assumption
has always been that you can't really prevent root if the user has console
access to the loader.  If you want a secure box, hack boot2 to not accept input
(so alternate loaders can't be loaded), change it to load a kernel instead of
the loader, and compile your hints statically into your kernel.

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message