From owner-freebsd-hackers Thu Oct 17 22:42:42 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA26941 for hackers-outgoing; Thu, 17 Oct 1996 22:42:42 -0700 (PDT) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA26934 for ; Thu, 17 Oct 1996 22:42:40 -0700 (PDT) Received: from mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87]) by Kitten.mcs.com (8.8.0/8.8.Beta.3) with SMTP id AAA27802; Fri, 18 Oct 1996 00:42:21 -0500 (CDT) Received: by mailbox.mcs.com (/\==/\ Smail3.1.28.1 #28.15) id ; Fri, 18 Oct 96 00:42 CDT Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.Beta.6/8.8.Beta.3) id AAA11030; Fri, 18 Oct 1996 00:42:18 -0500 (CDT) From: Karl Denninger Message-Id: <199610180542.AAA11030@Jupiter.Mcs.Net> Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c To: gibbs@freefall.freebsd.org (Justin T. Gibbs) Date: Fri, 18 Oct 1996 00:42:18 -0500 (CDT) Cc: karl@Mcs.Net, jdp@polstra.com, ache@nagual.ru, guido@gvr.win.tue.nl, thorpej@nas.nasa.gov, phk@critter.tfs.com, freebsd-hackers@freebsd.org, tech-userlevel@NetBSD.ORG In-Reply-To: <199610180533.WAA26215@freefall.freebsd.org> from "Justin T. Gibbs" at Oct 17, 96 10:33:46 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >Forcing ANYTHING that touches authentication to refuse to dump core is not > >the answer. Yet that is the only answer that you leave available. > > > >Worse, that doesn't even BEGIN to address the problmes that come about if > >you can ptrace() the process -- which, for something like this, is a REAL > >problem. > > > >You MUST be able to *know* that all privileged data has been nuked BEFORE > >you relinquish privileged operation. This isn't an option folks -- its a > >REQUIREMENT for security reasons. > > > >Figure it out. ftpd is not the only affected program here; just the most > >commonly known and exploited. > > Did you miss a portion of this thread? I think that Jason already > addressed all of these issues. I don't think so. Please enlighten me. > The program can core dump, the core dump will simply only be readable > by root. IMHO, and sorry for being blunt, but that's a crock. So now you're going to drop a core file in a user's directory that's root and mode 700 -- regardless of how umask is set, etc? Its better to not have the problem in the first place. > There are already protections enforced to disallow non-priveledged users > from ptracing programs that are setuid/setgid. A program which calls setuid() isn't SUID any more. Once done, that's terminal (and can't be "recalled"). The problem here is that authentication data must be able to be *known* destroyed in the data segment BEFORE a non-privileged user can get to the image of the data segment via any means -- ptrace, procfs, core dumps, etc. If you do that, you get rid of the entire problem -- and if done in the libraries its not just ftpd that this fixes. What's the objection to clearing possibly-contaminated structures when a program signifies its done with a privileged resource? > -- > Justin T. Gibbs > =========================================== > FreeBSD: Turning PCs into workstations > =========================================== -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available | 23 Chicagoland Prefixes, 13 ISDN, much more Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!