Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Jul 2002 19:11:52 +0200
From:      Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To:        freebsd-hackers@freebsd.org
Subject:   What for we need set-uid-root on passwd/chpass/etc.?:)
Message-ID:  <20020724171152.GA91362@garage.freebsd.pl>

next in thread | raw e-mail | index | archive | help
Hello there...

I hope nobody will kill me for this post.
Here is my idea how to remove set-uid-root from aplications like
passwd/chpass/chsh/chfn/etc. I think in this way we will be much more
secure.
http://garage.freebsd.pl/pwd_parser.tgz

And now description (from README):

I've create this parser, because I want to remove set-uid-root from
following applications:
/usr/bin/passwd
/usr/bin/chpass
/usr/bin/chfn
/usr/bin/chsh
[...]
And pwd_parser is one, little set-uid-root for all of those applications.
This is something like brigde between (now set-gid on "passwd" group)
passwd/chpass/etc. and pwd_mkdb(8).
Parser could only be run by "passwd" group members or root, so users can't
run it directly.
Thanks to many tests made by this stuff even if passwd/chpass/etc. is broken,
an attacker could only modify his own "password" and "change" fields
(optionaly "comment" and "shell"). He can't change his uid or root's password
for example.
Temp file created by user have only one line, line with info about him,
no more all records from /etc/master.passwd file. Rest of records are taken
directly from master.passwd by parser. All characters in user's line should be
printable (isprint(3)).
If user can change shell, parser will check if it is a valid shell (it should
be in /etc/shells).
Login and uid in user's temp file given to parser is compared with real uid
of pwd_parser process. This is the best way to check if user don't want to
modify different lines in password file or his uid in this file.
Arguments for pwd_mkdb(8) are also precisely checked.
Permissions and owner user and group of temp file are checked too.
Parser's code is clean (wrote with style(9) standards) and very simple, so
easy to audit, I think.

Note that no tests are made if root runs passwd/chpass/etc and temp file is
placed in /etc/ instead of /tmp/.

Modified source files:
/usr/src/usr.bin/chpass/Makefile
/usr/src/usr.bin/chpass/pw_copy.c
/usr/src/usr.bin/passwd/Makefile
/usr/src/usr.sbin/pwd_mkdb/pwd_mkdb.c
/usr/src/usr.sbin/vipw/pw_util.c

And here You got modifications with files in system:

	-rw-r-----  1 root  passwd  [...]  /etc/master.passwd
	-rw-r-----  1 root  passwd  [...]  /etc/spwd.db
	-r-xr-sr-x  2 root  passwd  [...]  /usr/bin/passwd
	-r-xr-sr-x  6 root  passwd  [...]  /usr/bin/chsh
	-r-xr-sr-x  6 root  passwd  [...]  /usr/bin/chpass
	-r-xr-sr-x  6 root  passwd  [...]  /usr/bin/chfn
	-r-sr-x---  1 root  passwd  [...]  /usr/sbin/pwd_parser

If passwd/chpass/etc. will be broken an attacker could only read
/etc/master.passwd. If pwd_parser will be broken, then users can't run
it directly so I think if he wnt to use it, it should be security hole
in passwd/chpass too.

I know that passwd/chpass are safe (no security holes for long time or
never), but what You think about this solution?

-- 
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020724171152.GA91362>