From owner-cvs-all@FreeBSD.ORG Mon Feb 23 10:37:59 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F9DA16A4CF; Mon, 23 Feb 2004 10:37:59 -0800 (PST) Received: from kientzle.com (h-66-166-149-50.SNVACAID.covad.net [66.166.149.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A96B43D31; Mon, 23 Feb 2004 10:37:59 -0800 (PST) (envelope-from tim@kientzle.com) Received: from kientzle.com (54.kientzle.com [66.166.149.54] (may be forged)) by kientzle.com (8.12.9/8.12.9) with ESMTP id i1NIWGkX093345; Mon, 23 Feb 2004 10:32:16 -0800 (PST) (envelope-from tim@kientzle.com) Message-ID: <403A4730.80302@kientzle.com> Date: Mon, 23 Feb 2004 10:32:16 -0800 From: Tim Kientzle User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20031006 X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Schultz References: <200402221003.i1MA3PW0024791@repoman.freebsd.org> <403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com> <40397824.3080607@kientzle.com> <20040223052110.GA58255@VARK.homeunix.com> <40399858.8060506@kientzle.com> <20040223075448.GA59307@VARK.homeunix.com> In-Reply-To: <20040223075448.GA59307@VARK.homeunix.com> Content-Type: multipart/mixed; boundary="------------070207070506060405090704" cc: cvs-src@FreeBSD.ORG cc: src-committers@FreeBSD.ORG cc: cvs-all@FreeBSD.ORG cc: Colin Percival cc: kientzle@acm.org Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kientzle@acm.org List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 18:37:59 -0000 This is a multi-part message in MIME format. --------------070207070506060405090704 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit David Schultz wrote: > On Sun, Feb 22, 2004, Tim Kientzle wrote: >> >>Is there any reason why "login -p" should be permitted >>if the user's shell is not listed in /etc/shells ? >> >>chpass already enforces a clear distinction between >>"standard" and "non-standard" shells. It seems reasonable >>for login(1) to also be aware of that distinction. > > I suppose the same reasoning would also apply to su and sshd, > although it's not such a big deal for sshd anymore. su already enforces restrictions on non-standard shells. > Since > nonstandard shells are generally intended to restrict the > abilities of a user, it would be nice if those shells always > operated in a sanitized environment. The attached patch implements this suggestion. I just copied "chshell" from su (shouldn't some version of this be in libc?) and made the obvious change. If you could test this (you seem to already have the exploit code in place), I'd much appreciate. If it works as advertised and noone objects, please commit. Tim Kientzle --------------070207070506060405090704 Content-Type: text/plain; name="kientzle-login.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="kientzle-login.diff" Index: login.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.c,v retrieving revision 1.98 diff -r1.98 login.c 86a87 > static int chshell(const char *); 468c469,471 < * preservation - but preserve TERM in all cases --- > * preservation or the user has a non-standard shell. In > * particular, this prevents environment-poisoning exploits > * against nologin scripts. Preserve TERM in all cases. 471c474 < if (!pflag) --- > if (!pflag || !chshell(shell)) 936a940,959 > > /* > * Return TRUE if the shell is a "standard" shell. > * (That is, one listed in /etc/shells.) > */ > static int > chshell(const char *sh) > { > int r; > const char *cp; > > r = 0; > setusershell(); > while ((cp = getusershell()) != NULL && !r) > r = (strcmp(cp, sh) == 0); > endusershell(); > return r; > } > > --------------070207070506060405090704--