From owner-freebsd-security  Fri Aug 21 04:46:07 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA21109
          for freebsd-security-outgoing; Fri, 21 Aug 1998 04:46:07 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA21058
          for <security@FreeBSD.ORG>; Fri, 21 Aug 1998 04:46:02 -0700 (PDT)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id HAA21293;
	Fri, 21 Aug 1998 07:45:15 -0400 (EDT)
Date: Fri, 21 Aug 1998 07:45:14 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
cc: security@FreeBSD.ORG
Subject: Re: Scaring the bezeesus out of your system admin as a normal user:
In-Reply-To: <29367.903682974@time.cdrom.com>
Message-ID: <Pine.BSF.3.96.980821074059.21275B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 21 Aug 1998, Jordan K. Hubbard wrote:

> % logger -p auth.notice -t su crackman to root on ttyp1
> 
> I'd suggest that /var/run/log should have 0600 permissions but that
> would certainly screw over a few of syslog(3)'s current users.
> 
> Hmmmm.  No quick ideas here. :)
> 
> - Jordan

I noticed this possibility a while back, and the only conclusion I reached
was that sticking the uid of the source process in the log line might be
useful.

That is, before accepting any log lines, the log daemon requires that the
process on the other end of unix domain socket pass the credentials using
SOL_SOCKET/SCM_CREDS and sendmsg.  Then, all log entries have the numeric
uid attached somewhere.  Modify the log library calls to do this.

Then move any logging lines as appropriate -- that is, a successful su
will generate all of its log messages either as the destination user, or
as root.  Now any forged messages will have the wrong uid associated with
them.

There are still opportunities for abuse (such as network logging, suid
programs, etc) but this does specifically address the su issue.  Of
course, then someone will have to forward the log message to
freebsd-security so we can answer "oh, it's forged" for them.

  Robert N Watson 

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/
robert@fledge.watson.org              http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message