Date: Sun, 22 Feb 2004 19:48:52 -0800 From: Tim Kientzle <tim@kientzle.com> To: David Schultz <das@FreeBSD.ORG> Cc: kientzle@acm.org Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c Message-ID: <40397824.3080607@kientzle.com> In-Reply-To: <20040223025647.GA43467@VARK.homeunix.com> References: <200402221003.i1MA3PW0024791@repoman.freebsd.org> <403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Schultz wrote: > On Sun, Feb 22, 2004, Tim Kientzle wrote: >>Colin Percival wrote: >> >>> Report login attempts to syslog. Due to the statically-linked nature of >>> nologin(8) ... >> >>Why is nologin statically linked? > > Because of environment-poisoning attacks such as the following: > > das@VARK:~> setenv LD_LIBRARY_PATH /home/das/exploit > das@VARK:~> \login -p test > > This attack was executed with a dynamically-linked /sbin/nologin > and a special libc.so.5 in the /home/das/exploit directory that > replaces the _exit() stub with a routine that spawns a shell. Hmmmm.... Several other solutions come immediately to mind: * Handle this in pam (or even in login) (Just check if the user's shell is /sbin/nologin and reject the login if it is.) * Install /sbin/nologin setuid nobody or setgid nogroup That would disable LD_LIBRARY_PATH processing for it. * Have login -p not pass LD_LIBRARY_PATH Of these, the first is arguably the best, the second easiest to implement. The third I'm unsure about; I can't really picture a scenario where login -p should pass LD_LIBRARY_PATH, but that's hardly conclusive. I agree, by the way, that there should be a way to "mark" a program as ignoring LD_LIBRARY_PATH at compile-time (other than making it setuid/setgid). Tim Kientzle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40397824.3080607>