From owner-freebsd-security@FreeBSD.ORG Mon Jul 26 07:23:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F8AE16A4CE for ; Mon, 26 Jul 2004 07:23:19 +0000 (GMT) Received: from pc5.i.0x5.de (n.0x5.de [213.146.113.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 127C643D39 for ; Mon, 26 Jul 2004 07:23:17 +0000 (GMT) (envelope-from nicolas@i.0x5.de) Received: from pc5.i.0x5.de (nicolas@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.11/8.12.11) with ESMTP id i6Q7NDSP063879 for ; Mon, 26 Jul 2004 09:23:13 +0200 (CEST) (envelope-from nicolas@pc5.i.0x5.de) Received: (from nicolas@localhost) by pc5.i.0x5.de (8.12.11/8.12.11/Submit) id i6Q7NDDr063878 for freebsd-security@freebsd.org; Mon, 26 Jul 2004 09:23:13 +0200 (CEST) (envelope-from nicolas) Date: Mon, 26 Jul 2004 09:23:13 +0200 From: Nicolas Rachinsky To: freebsd-security@freebsd.org Message-ID: <20040726072312.GA61352@pc5.i.0x5.de> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline X-Powered-by: FreeBSD X-Homepage: http://www.rachinsky.de X-PGP-Keyid: C11ABC0E X-PGP-Fingerprint: 19DB 8392 8FE0 814A 7362 EEBD A53B 526A C11A BC0E X-PGP-Key: http://www.rachinsky.de/nicolas/nicolas_rachinsky.asc User-Agent: Mutt/1.5.6i X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Fw: init scripts and su X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2004 07:23:19 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hallo, I think the same problem exists in our rc.d scripts. Nicolas --BOKacYhQ+x31HxR3 Content-Type: message/rfc822 Content-Disposition: inline X-Env-From: X-Env-To: Received: from localhost (fetchmail@localhost [127.0.0.1]) by pc5.i.0x5.de (8.12.11/8.12.11) with ESMTP id i6Q4vp3s059776 for ; Mon, 26 Jul 2004 06:57:51 +0200 (CEST) bounce-debian-security=list=rachinsky.de@lists.debian.org) Envelope-to: list@rachinsky.de Delivery-date: Mon, 26 Jul 2004 06:55:49 +0200 Received: from pop.kundenserver.de [212.227.15.165]pt6334525-123) for nicolas@localhost (single-drop); Mon, 26 Jul 2004 06:57:51 +0200 (CEST) Received: from [146.82.138.6] (helo=murphy.debian.org) by mxng07.kundenserver.de with esmtp (Exim 3.35 #1) id 1BoxWf-0008Dq-00 for list@rachinsky.de; Mon, 26 Jul 2004 06:55:49 +0200 Received: from localhost (localhost [127.0.0.1]) by murphy.debian.org (Postfix) with QMQP id AA443F12F; Sun, 25 Jul 2004 23:54:07 -0500 (CDT) Old-Return-Path: X-Original-To: debian-security@lists.debian.org Received: from smtp.sws.net.au (smtp.sws.net.au [61.95.69.6]) by murphy.debian.org (Postfix) with ESMTP id 60F72F129; Sun, 25 Jul 2004 23:53:57 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 92F4061CA1; Mon, 26 Jul 2004 14:54:00 +1000 (EST) Received: from smtp.sws.net.au ([127.0.0.1]) by localhost (smtp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01992-10; Mon, 26 Jul 2004 14:54:00 +1000 (EST) Received: from lyta.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id EAD9161C9F; Mon, 26 Jul 2004 14:53:59 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by lyta.coker.com.au (Postfix) with ESMTP id B1D8BB59A6; Mon, 26 Jul 2004 14:53:57 +1000 (EST) From: Russell Coker Reply-To: russell@coker.com.au Subject: init scripts and su Date: Mon, 26 Jul 2004 14:53:56 +1000 User-Agent: KMail/1.6.2 To: debian-devel@lists.debian.org Cc: debian-security@lists.debian.org MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_k5IBBE2GPW9IlXo" Message-Id: <200407261453.56729.russell@coker.com.au> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at sws.net.au X-Rc-Virus: 2004-07-20_01 X-Rc-Spam: 2004-07-19_01 X-Spam-Checker-Version: SpamAssassin 2.63-lists.debian.org_2004_07_08_01 (2004-01-11) on murphy.debian.org X-Spam-Status: No, hits=-3.7 required=4.0 tests=IMPRONONCABLE_1,LDOSUBSCRIBER, MURPHY_WRONG_WORD1,MURPHY_WRONG_WORD2 autolearn=no version=2.63-lists.debian.org_2004_07_08_01 X-Spam-Level: Resent-Message-ID: Resent-From: debian-security@lists.debian.org X-Mailing-List: archive/latest/16015 X-Loop: debian-security@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Archive: Precedence: list Resent-Sender: debian-security-request@lists.debian.org Resent-Date: Sun, 25 Jul 2004 23:54:07 -0500 (CDT) X-SPAMFREE: BOGO=1 CRM=1 SAR=1 SAL=1 BOGOTE=1 BOGOTOE=1 CRM2=1 <20040726045805> --Boundary-00=_k5IBBE2GPW9IlXo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline The start scripts for some daemons do "su - user" or use "start-stop-daemon -c" to launch the daemon, postgresql is one example. During the time between the daemon launch and it closing it's file handles and calling setsid(2) (which some daemons don't do because they are buggy) any other code running in the same UID could take over the process via ptrace, fork off a child process that inherits the administrator tty, and then stuff characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*). To address these issues for Fedora I have written a program named init_su. init_su closes all file handles other than 1 and 2 (stdout and stderr). File handles 1 and 2 are fstat()'d, if they are regular files or pipes then they are left open (no attack is possible through a file or pipe), otherwise they are closed and /dev/null is opened instead. /dev/null is opened for file handle 0 regardless of what it might have pointed to previously. Then setsid() is called to create a new session for the process (make it a group leader), this invalidates /dev/tty. Then the uid is changed and the daemon is started. I have attached the source code to init_su, please check it out and tell me what you think. After the discussion concludes I will write a patch for start-stop-daemon to give similar functionality. (*) On system boot and shutdown there is no problem. It's when the administrator uses /etc/init.d/postgresql to start or stop the database that there is potential for attack. http://www.redhat.com/archives/fedora-devel-list/2004-July/msg01314.html I have also started a similar discussion on the Fedora development list about this issue, see the above URL. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page --Boundary-00=_k5IBBE2GPW9IlXo-- -- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org --BOKacYhQ+x31HxR3--