From owner-freebsd-security Mon Jul 20 06:43:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA07153 for freebsd-security-outgoing; Mon, 20 Jul 1998 06:43:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA07147 for ; Mon, 20 Jul 1998 06:43:20 -0700 (PDT) (envelope-from snar@marta.arcom.spb.su) Received: (from snar@localhost) by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id RAA27049; Mon, 20 Jul 1998 17:38:00 +0400 (MSD) Message-ID: <19980720173800.17978@nevalink.ru> Date: Mon, 20 Jul 1998 17:38:00 +0400 From: Alexandre Snarskii To: Allen Smith , Warner Losh Cc: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? References: <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <9807192209.ZM23527@beatrice.rutgers.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=pXqbjpZ4EhLzMW5y X-Mailer: Mutt 0.89i In-Reply-To: <9807192209.ZM23527@beatrice.rutgers.edu>; from Allen Smith on Sun, Jul 19, 1998 at 10:09:29PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --pXqbjpZ4EhLzMW5y Content-Type: text/plain; charset=us-ascii On Sun, Jul 19, 1998 at 10:09:29PM -0400, Allen Smith wrote: > On Jul 19, 7:48pm, Warner Losh (possibly) wrote: > > > I think that most, but not all, of the problems can be fixed by making > > the stack non-executables for set[gu]id binaries. this will fix the > > attacks where elevated privs are used to get access. however, i'm not > > completely sure about this because there are many problems with this > > idea. not the least of which is that it feels like a bandaide to me. > > I'd suggest adding anything executing with an effective uid of root; > keep in mind servers. I've actually worked on this with the > libparanoia's libc substitution, at least with the non-assembler ones; > I'll try to find the time to test soon whether this actually speeds > things up. Better approach is (every suid/sgid program) or ( euid == 0 ). Patch to libparanoia/stentry.c attached. ( You have no need to patch any other file - all checks are in stentry.c, others is just standard files from /usr/src/lib/libc, just calls to stentry.c functions added ). Patched libparanoia available at ftp://ftp.lexa.ru/pub/domestic/snar/libparanoia.1.1.tgz -- Alexandre Snarskii the source code is included --pXqbjpZ4EhLzMW5y Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=libparanoia10 Index: libparanoia/stentry.c diff -c libparanoia/stentry.c:1.3 libparanoia/stentry.c:1.5 *** libparanoia/stentry.c:1.3 Tue Jul 14 21:04:50 1998 --- libparanoia/stentry.c Mon Jul 20 17:19:19 1998 *************** *** 23,34 **** --- 23,41 ---- closelog();\ kill(SIGSEGV,getpid());\ exit(1) ;\ + + static int docheck=-1; /* -1 - still unknown, 0 - do not check, 1 - do check */ void enter_violation() { int i; unsigned bp=getbp(); + if(!docheck) return ; + if(docheck==-1) { + if(issetugid()||(!geteuid())) docheck=1; + else docheck=0; + }; invflag++; if(invflag>1) return; bzero(save,sizeof(save)); *************** *** 59,64 **** --- 66,73 ---- { int i; unsigned bp=getbp(); + if(!docheck) return ; /* at exit_violation docheck is _always_ + initialised, so we can skip checking of -1 */ if(invflag>1) { invflag--; return; --pXqbjpZ4EhLzMW5y-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message