Date: Tue, 10 Aug 2010 10:02:35 +0000 (UTC) From: Janne Snabb <snabb@epipe.com> To: Przemyslaw Frasunek <przemyslaw@frasunek.com> Cc: freebsd-security@freebsd.org Subject: Re: ~/.login_conf mechanism is flawed Message-ID: <alpine.BSF.2.00.1008100954230.96753@tiktik.epipe.com> In-Reply-To: <4C611FA9.6070409@frasunek.com> References: <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com> <4C611FA9.6070409@frasunek.com>
index | next in thread | previous in thread | raw e-mail
On Tue, 10 Aug 2010, Przemyslaw Frasunek wrote: > This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE. > > 41673 sshd CALL setuid(0xbb8) > 41673 sshd RET setuid 0 > 41673 sshd CALL seteuid(0xbb8) > 41673 sshd RET seteuid 0 > 41673 sshd NAMI "/home/venglin/.login_conf" > 41673 sshd NAMI "/home/venglin/.login_conf.db" > 41673 sshd NAMI "/home/venglin/.login_conf.db" The above actually seems correct to me. Both uid and euid are set before accessing the capabilities. On 8.1-RELEASE this is different, only euid is set to the user (to make it possible to access this file if the home directory happens to be NFS mounted without root access?). > 41513 ftpd CALL seteuid(0xbb8) > 41513 ftpd RET seteuid 0 > 41513 ftpd NAMI "/home/venglin/.login_conf" > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > 41513 ftpd NAMI "/home/venglin/.login_conf.db" This is clearly wrong, it is still possible to change euid back to 0. It is still possible to setrlimit() anything. > Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed > to read any file in system with root privileges: > > http://marc.info/?l=bugtraq&m=100101802423376&w=2 Hehe... I was about to try out this one next. -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1008100954230.96753>