From owner-freebsd-current@FreeBSD.ORG Wed Jun 21 08:55:30 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 088A816A479; Wed, 21 Jun 2006 08:55:30 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CA7D43D45; Wed, 21 Jun 2006 08:55:28 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id E41FD2D48BE; Wed, 21 Jun 2006 08:55:26 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id B7EF311420; Wed, 21 Jun 2006 10:55:26 +0200 (CEST) Date: Wed, 21 Jun 2006 10:55:26 +0200 From: "Simon L. Nielsen" To: Harti Brandt Message-ID: <20060621085526.GA1150@zaphod.nitro.dk> References: <4498D108.90907@rogers.com> <20060621053007.GA3320@odin.ac.hmc.edu> <4498DF20.8020803@rogers.com> <1150870137.78122.14.camel@spirit> <20060621082734.Q24109@beagle.kn.op.dlr.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline In-Reply-To: <20060621082734.Q24109@beagle.kn.op.dlr.de> User-Agent: Mutt/1.5.11 Cc: Mike Jakubik , freebsd-current@freebsd.org, Xin LI , Justin Hibbits Subject: Re: ~/.hosts patch X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 08:55:30 -0000 --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.06.21 08:31:36 +0200, Harti Brandt wrote: > On Wed, 21 Jun 2006, Xin LI wrote: >=20 > XL>?? 2006-06-21???? 01:54 -0400??Mike Jakubik?????? > XL>> [snip] > XL>> > It's useful for cases where you want to add shortcuts to hosts as = a user > XL>> > or do interesting ssh port forwarding tricks in some weird cases w= here > XL>> > you must connect to localhost:port as remotehost:port due to > XL>> > client/server protocol bugs. > XL>> > > XL>> > This patch appears to only support ~/.hosts for non-suid binaries = which > XL>> > is the only real security issue. Any admin relying on host to IP > XL>> > mapping for security for ordinary users is an idiot so that case i= sn't > XL>> > worth worrying about. Doing this as a separate nss module probably > XL>> > makes sense, but I personally like the feature. > XL>> > XL>> Of course relying on /etc/hosts entries for security alone is indeed= not=20 > XL>> a good idea, however an Admin may choose to resolve and therefore ro= ute=20 > XL>> specified hostnames via /etc/hosts. The user should not be able to= =20 > XL>> overwrite these, if this behavior is true, then it seems like a=20 > XL>> reasonable change to me, otherwise it not only seems to be a securit= y=20 > XL>> problem, but also a breach of POLA. > XL> > XL>I think this would be better implemented with a nss module so that the > XL>administrator can choose whether to utilize the feature. > XL> > XL>BTW. I do not see much problem if the feature is not enabled for setuid > XL>binaries because if the user already knows some secret (run under his = or > XL>her own credential), nor can the user trick others to utilize the > XL>~/.hosts if the program is a setuid binary. What's your concern about > XL>the "security problem", or could you please point how can we > XL>successfully exploit the ~/.hosts to get privilege escalation and/or > XL>information disclosure or something else, which could not happen witho= ut > XL>~/.hosts? >=20 > Wouldn't this enable the same kind of phishing attacks there are under=20 > windows? As far as I remember there are attacks where the hosts file=20 > (don't remember how its called under windows) is rewriten by a virus/java= =20 > script/whatever to contain a different IP address for a given hostname?= =20 > Suppose someone fakes the website of www.foobank.com, then manages to=20 > insert www.foobank.com with the wrong IP address into ~/.hosts? If an attacker is able to write a ~/.hosts you have already lost and I really doubt being able to override hosts lookup would make any difference security wise. Instead of writing a ~/.hosts file, the attacker could just start a keylogger on the system either directly by some remote code execution, or by installing the keylogger somewhere and get it to start on boot, X login etc. by appending to some startup file. I really don't see how this would make any real difference security wise. --=20 Simon L. Nielsen --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEmQl9h9pcDSc1mlERAng0AKCtjB4HRtJV3hP8YWUOgHt2cwUszQCfWOEH qgd3Q7JNebSKgmgRrNNmguM= =lgPl -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA--