From owner-freebsd-security@FreeBSD.ORG  Tue Sep 15 20:26:55 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3D55D106566B
	for <freebsd-security@freebsd.org>;
	Tue, 15 Sep 2009 20:26:55 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: from strawberry.noncombatant.org (strawberry.noncombatant.org
	[64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 234518FC2A
	for <freebsd-security@freebsd.org>;
	Tue, 15 Sep 2009 20:26:55 +0000 (UTC)
Received: by strawberry.noncombatant.org (Postfix, from userid 1001)
	id CA09B775171; Tue, 15 Sep 2009 13:27:03 -0700 (PDT)
Date: Tue, 15 Sep 2009 13:27:03 -0700
From: Chris Palmer <chris@noncombatant.org>
To: utisoft@googlemail.com, freebsd-security@freebsd.org
Message-ID: <20090915202703.GF24361@noncombatant.org>
References: <4AAF45B4.60307@isafeelin.org>
	<0016e6d99efa540b8b047399738b@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0016e6d99efa540b8b047399738b@google.com>
User-Agent: Mutt/1.4.2.3i
Cc: 
Subject: Re: FreeBSD bug grants local root access (FreeBSD 6.x)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 20:26:55 -0000

utisoft@googlemail.com writes:

> It appears to only affect 6.x.... and requires local access. If an
> attacker has local access to a machine you're screwed anyway.

No, the thing you're screwed anyway by is local *physical* access. Merely
running a process as a non-root local user should *not* be a "you're screwed
anyway" scenario. The fundamental security guarantee of a modern operating
system is that different principals cannot affect each other's resources
(user chris cannot read or write user jane's email -- let alone root's
email). This bug breaks that guarantee, and is definitely not a ho-hum bug.

Remote exploits, which I agree are even worse, are in a sense a special case
of breaking the same guarantee: the pseudo-principal "anonymous maniac from
the Internet" can affect user root's (or whoever's) resources. Some
operating systems even have an explicit "anonymous" user, but the point is
the same either way.


-- 
http://www.noncombatant.org/
http://hemiolesque.blogspot.com/