From owner-freebsd-security Tue Feb 18 00:42:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA11257 for security-outgoing; Tue, 18 Feb 1997 00:42:42 -0800 (PST) Received: from vector.jhs.no_domain (slip139-92-4-66.mu.de.ibm.net [139.92.4.66]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA10362; Tue, 18 Feb 1997 00:40:24 -0800 (PST) Received: (from jhs@localhost) by vector.jhs.no_domain (8.7.5/8.6.9) id TAA02087; Mon, 17 Feb 1997 19:19:45 +0100 (MET) Date: Mon, 17 Feb 1997 19:19:45 +0100 (MET) Message-Id: <199702171819.TAA02087@vector.jhs.no_domain> To: security-officer@freebsd.org cc: security@freebsd.org, core@freebsd.org Subject: I guess we need to read all code, not just SUID stuff ! From: "Julian H. Stacey" Reply-To: "Julian H. Stacey" X-Email: jhs@freebsd.org, Fallback: jhs@gil.physik.rwth-aachen.de X-Organization: Vector Systems Ltd. X-Mailer: EXMH 1.6.7, PGP available X-Address: Holz Strasse 27d, 80469 Munich, Germany X-Tel: +49.89.268616 X-Fax: +49.89.2608126 X-Web: http://www.freebsd.org/~jhs/ Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk security-officer@freebsd.org cc security@freebsd.org,core@freebsd.org PS best leave jhs@freebsd.org on cc line, as not sure if I'm on the security@freebsd.org list. I'm hoping to be told I'm wrong below, I'll be disappointed (& others more so) if I'm right :-) ..... Ref. the the freefall break in, & the planting of trojans, in bin path, & possible planting of trojans in src/ & intention to read code for manipulation ... We presumably don't need to just read the SUID stuff, we need to read all 120M of src/ :-( because one could for instance go hack a non SUID prog like /bin/ls so that (if getuid != 0) do a normal ls else { ls ; /* so no one notices differenr behaviour, then */ do some nasty security thing; } So one thinks we only need to read all SUID 0 stuff _&_ anything that uses getuid(), but Worse ... what if there's some hacked utility like ls or who, that root will someday use, that does: { do a normal ls type thing ; (void) { (maybe fork) and do a devilish thing, that will silently fail if invoked by a normal user, but that will succeed with something nasty, if invoked by root. } } notice no getuid or suid above !, so we're back to the whole of src/ :-( I know this will be unpopular, particularly with John Dyson et al, who's busy commiting away at the 4.4 lite 2 stuff, ... but if we really do have to go & read all 120M of src/, wouldn't it be a lot better :- - rebuilding freefall from a known good CD, - reloading the CVS tree from a 3 or 4 week old tape (or rebuilding it from ctms applied to a cvs tree from up to about 3 weeks ago, - then extracting the src/, - then doing a parallel { let john & co recommit the 4.4 fixes & things, let loose the code readers just on the suid 0 stuff } it'd be a _lot_ less work than having to read the whole of src/ If that's the way we need to go, the sooner we stop committers from doing work they'll need to repeat, the less agravation for them ? Someone tell me I'm wrong ! I hope I'm wrong :-) I want to be wrong, but I'd prefer to know why :-) (PS I'll volunteer for some small part of the `read', but my car's just broken down & I need to spend time finding a job, so I'd prefer something smallish to check.) Julian --- Julian H. Stacey http://www.freebsd.org/~jhs/