Date: Mon, 17 Feb 1997 19:19:45 +0100 (MET) From: "Julian H. Stacey" <jhs@freebsd.org> To: security-officer@freebsd.org Cc: security@freebsd.org, core@freebsd.org Subject: I guess we need to read all code, not just SUID stuff ! Message-ID: <199702171819.TAA02087@vector.jhs.no_domain>
next in thread | raw e-mail | index | archive | help
security-officer@freebsd.org
cc security@freebsd.org,core@freebsd.org
PS best leave jhs@freebsd.org on cc line,
as not sure if I'm on the security@freebsd.org list.
I'm hoping to be told I'm wrong below,
I'll be disappointed (& others more so) if I'm right :-) .....
Ref. the the freefall break in, & the planting of trojans, in bin path,
& possible planting of trojans in src/
& intention to read code for manipulation ...
We presumably don't need to just read the SUID stuff,
we need to read all 120M of src/ :-(
because one could for instance go hack a non SUID prog like /bin/ls so that
(if getuid != 0)
do a normal ls
else
{
ls ; /* so no one notices differenr behaviour, then */
do some nasty security thing;
}
So one thinks
we only need to read all SUID 0 stuff _&_ anything that uses getuid(),
but Worse ... what if there's some hacked utility like ls or who, that
root will someday use, that does:
{
do a normal ls type thing ;
(void) { (maybe fork) and do a devilish thing, that will silently
fail if invoked by a normal user, but that will
succeed with something nasty, if invoked by root. }
}
notice no getuid or suid above !, so we're back to the whole of src/ :-(
I know this will be unpopular, particularly with John Dyson et al,
who's busy commiting away at the 4.4 lite 2 stuff,
... but if we really do have to go & read all 120M of src/,
wouldn't it be a lot better :-
- rebuilding freefall from a known good CD,
- reloading the CVS tree from a 3 or 4 week old tape
(or rebuilding it from ctms applied to a cvs tree from up to
about 3 weeks ago,
- then extracting the src/,
- then doing a parallel
{
let john & co recommit the 4.4 fixes & things,
let loose the code readers just on the suid 0 stuff
}
it'd be a _lot_ less work than having to read the whole of src/
If that's the way we need to go, the sooner we stop committers from doing
work they'll need to repeat, the less agravation for them ?
Someone tell me I'm wrong ! I hope I'm wrong :-)
I want to be wrong, but I'd prefer to know why :-)
(PS I'll volunteer for some small part of the `read',
but my car's just broken down & I need to spend time finding a job,
so I'd prefer something smallish to check.)
Julian
---
Julian H. Stacey <jhs@freebsd.org> http://www.freebsd.org/~jhs/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702171819.TAA02087>