Date: Tue, 2 May 1995 10:05:27 +1000 (EST) From: clary@elec.uq.oz.au (Clary Harridge) To: freebsd-security@FreeBSD.org Cc: freebsd-bugs@FreeBSD.org, marks@cheque1.cheque.uq.oz.au (Mark Schulz) Subject: Re: DISKLESS users become root Message-ID: <9505020006.AA18803@s1.elec.uq.oz.au> In-Reply-To: <9504260509.AA15058@s1.elec.uq.oz.au> from "Clary Harridge" at Apr 26, 95 03:08:47 pm
next in thread | previous in thread | raw e-mail | index | archive | help
>
> Users on any DISKLESS client can become root during the boot sequence.
>
> I have diskless clients booting off a FreeBSD file server and find that
>
> Pressing CTRLC just after the last NFS mount and before the "autoreboot"
This also happens with CTRL\
> message causes
>
> init: /bin/sh on /etc/rc terminated abnormally, going to single user mode
> Enter pathname of shell or RETURN for sh:
>
> then
>
> RETURN gives a root shell.
>
> The state of the /etc/ttys file is not being checked for whether the
> console is secure (or not) and the user is NOT prompted for a root
> password.
>
The problem is that there is a time slot from the start of "init" until
the "read_ttys" subroutine checks / sets the "[in]secure" mode.
This time is probably small on a system with local disk and you probably need
to be lucky to cause either a SIGINT (CTRLC) or SIGQUIT (CTRL|) at the right
time.
However on a diskless system the time slot is of the order of tens of seconds
and you can easily become super user.
The following patch will close this security hole.
================================================================
*** init.c Tue May 2 08:47:49 1995
--- init.c_orig Fri Apr 28 10:39:51 1995
***************
*** 178,186 ****
sigset_t mask;
- /* disable interrupts until /etc/ttys secure is checked */
- (void) signal(SIGINT, SIG_IGN);
- (void) signal(SIGQUIT, SIG_IGN);
/* Dispose of random users. */
if (getuid() != 0) {
(void)fprintf(stderr, "init: %s\n", strerror(EPERM));
--- 178,183 ----
***************
*** 239,245 ****
handle(badsys, SIGSYS, 0);
handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV,
SIGBUS, SIGXCPU, SIGXFSZ, 0);
! handle(transition_handler, SIGHUP, SIGTERM, SIGTSTP, 0);
handle(alrm_handler, SIGALRM, 0);
sigfillset(&mask);
delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS,
--- 236,242 ----
handle(badsys, SIGSYS, 0);
handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV,
SIGBUS, SIGXCPU, SIGXFSZ, 0);
! handle(transition_handler, SIGHUP, SIGINT, SIGTERM, SIGTSTP, 0);
handle(alrm_handler, SIGALRM, 0);
sigfillset(&mask);
delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS,
================================================================
This is not the whole answer if your ttys flag is secure as a call to
handle(transition_handler, SIGINT, 0);
should probably be done at some stage after or during "read_ttys" ?
--
regards Dept. of Electrical Engineering,
Clary Harridge University of Queensland, QLD, Australia, 4072
Phone: +61-7-365-3636 Fax: +61-7-365-4999
INTERNET: clary@elec.uq.oz.au
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9505020006.AA18803>