Date: Fri, 21 Aug 1998 07:45:14 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: security@FreeBSD.ORG Subject: Re: Scaring the bezeesus out of your system admin as a normal user: Message-ID: <Pine.BSF.3.96.980821074059.21275B-100000@fledge.watson.org> In-Reply-To: <29367.903682974@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Aug 1998, Jordan K. Hubbard wrote: > % logger -p auth.notice -t su crackman to root on ttyp1 > > I'd suggest that /var/run/log should have 0600 permissions but that > would certainly screw over a few of syslog(3)'s current users. > > Hmmmm. No quick ideas here. :) > > - Jordan I noticed this possibility a while back, and the only conclusion I reached was that sticking the uid of the source process in the log line might be useful. That is, before accepting any log lines, the log daemon requires that the process on the other end of unix domain socket pass the credentials using SOL_SOCKET/SCM_CREDS and sendmsg. Then, all log entries have the numeric uid attached somewhere. Modify the log library calls to do this. Then move any logging lines as appropriate -- that is, a successful su will generate all of its log messages either as the destination user, or as root. Now any forged messages will have the wrong uid associated with them. There are still opportunities for abuse (such as network logging, suid programs, etc) but this does specifically address the su issue. Of course, then someone will have to forward the log message to freebsd-security so we can answer "oh, it's forged" for them. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980821074059.21275B-100000>