From owner-freebsd-current Thu Aug 1 12:35:29 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6423837B400; Thu, 1 Aug 2002 12:35:17 -0700 (PDT) Received: from studnet.sk (kripel.unitra.sk [193.87.12.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8962243E65; Thu, 1 Aug 2002 12:34:52 -0700 (PDT) (envelope-from rado@kripel.studnet.sk) Received: from kripel.studnet.sk (rado@localhost [IPv6:::1]) by studnet.sk (8.12.5/angel's version) with ESMTP id g71JYmvJ006863; Thu, 1 Aug 2002 21:34:48 +0200 (CEST) Received: (from rado@localhost) by kripel.studnet.sk (8.12.5/8.12.3/Submit) id g71JYmCA006862; Thu, 1 Aug 2002 21:34:48 +0200 (CEST) Date: Thu, 1 Aug 2002 21:34:48 +0200 From: Radko Keves To: freebsd-security@freebsd.org Cc: freebsd-current@freebsd.org Subject: possieble bug in chsh chfn Message-ID: <20020801193448.GA4806@studnet.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Desription: unauthorized write access to /etc directory using chfn/chsh commands in FreeBSD 5.0-CURRENT. Contributing factors: In FreeBSD 5.0, it is possible to fill up the whole partition by using chfn/chsh commands. Normally, users have quotas set up on directories that are allowed to be written for them, e.g. home directory, /tmp, /var/tmp, etc. Let's say, a user has quotas set up this way: % quota -u rado Disk quotas for user rado (uid 1001): Filesystem usage quota limit grace files quota limit grace /home 66760 500000 550000 3481 0 0 /tmp 135193 260000 280000 5417 0 0 ... There's normally no need to set up quotas for other partitions (such as /, /usr, ...) because ordinary users have no permissions to write/change the files in that directories, e.g. in / or /etc. Symptoms: Our experience with the chsh/chfn commands shows that when a user changes his/her finger information/shell, these commands invoke vi editor with a temporary file stored in /tmp. Imagine that a user's quota exceeded his/her limit for /tmp. Our ordinary user did this by filling up /tmp partition with many large files. chfn/chsh commands then stored their temporary files in /etc directory with given user's permissions, e.g.: % id happy uid=2006(happy) gid=58(st1999) groups=58(st1999) % quota -u happy ... /tmp 21995* 20000 22000 7days 6 0 0 ... (We can see that the disk quota exceeded in /tmp for user happy) % ls -ld /etc drwxr-xr-x 20 root wheel 22016 Aug 1 19:22 /etc % ls -l /etc | grep happy -rw------- 1 happy st1999 157278362 Aug 1 19:19 pw.BEMwxq -rw------- 1 happy st1999 154 Aug 1 19:22 pw.KxGCF3 -rw------- 1 happy st1999 157278362 Aug 1 19:19 pw.iW7Pmt -rw------- 1 happy st1999 157278362 Aug 1 19:20 pw.rhJq0s -rw------- 1 happy st1999 157278374 Aug 1 19:16 pw.tpPLK4 Now it is possible for such a user to fill up the root partition without having a permission set on /, e.g. with % cat /dev/zero >> /etc/pw.KxGCF3 Workaround: Our workaround is to either set up a quotas for a root partition or disable chsh/chfn commands. Important Notices: 1. chpass, ypchpass, ypchfn, and ypchsh commands seem to be also affected by the symptoms described above because they are just hard links... :) 2. When experimenting with a chpass command, it caused a segmentation fault when used with -a argument because of a NULL pointer comparation in chpass.c, line 169: (no getpw* (3) library call invoked!!!) if ((pw->pw_fields & _PWF_SOURCE) == _PWF_NIS) % id happy uid=2006(happy) gid=58(st1999) groups=58(st1999) % chpass -a qqqqq Segmentation fault chpass doesn't seem to be locally exploitable. Some changes to a source code are needed for normal operation. Credits: pali@unitra.sk happy@unitra.sk rado@studnet.sk -- -------------- bye R.R.K.K. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message