Date: Fri, 18 Oct 1996 00:42:18 -0500 (CDT) From: Karl Denninger <karl@Mcs.Net> To: gibbs@freefall.freebsd.org (Justin T. Gibbs) Cc: karl@Mcs.Net, jdp@polstra.com, ache@nagual.ru, guido@gvr.win.tue.nl, thorpej@nas.nasa.gov, phk@critter.tfs.com, freebsd-hackers@freebsd.org, tech-userlevel@NetBSD.ORG Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c Message-ID: <199610180542.AAA11030@Jupiter.Mcs.Net> In-Reply-To: <199610180533.WAA26215@freefall.freebsd.org> from "Justin T. Gibbs" at Oct 17, 96 10:33:46 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> >Forcing ANYTHING that touches authentication to refuse to dump core is not > >the answer. Yet that is the only answer that you leave available. > > > >Worse, that doesn't even BEGIN to address the problmes that come about if > >you can ptrace() the process -- which, for something like this, is a REAL > >problem. > > > >You MUST be able to *know* that all privileged data has been nuked BEFORE > >you relinquish privileged operation. This isn't an option folks -- its a > >REQUIREMENT for security reasons. > > > >Figure it out. ftpd is not the only affected program here; just the most > >commonly known and exploited. > > Did you miss a portion of this thread? I think that Jason already > addressed all of these issues. I don't think so. Please enlighten me. > The program can core dump, the core dump will simply only be readable > by root. IMHO, and sorry for being blunt, but that's a crock. So now you're going to drop a core file in a user's directory that's root and mode 700 -- regardless of how umask is set, etc? Its better to not have the problem in the first place. > There are already protections enforced to disallow non-priveledged users > from ptracing programs that are setuid/setgid. A program which calls setuid() isn't SUID any more. Once done, that's terminal (and can't be "recalled"). The problem here is that authentication data must be able to be *known* destroyed in the data segment BEFORE a non-privileged user can get to the image of the data segment via any means -- ptrace, procfs, core dumps, etc. If you do that, you get rid of the entire problem -- and if done in the libraries its not just ftpd that this fixes. What's the objection to clearing possibly-contaminated structures when a program signifies its done with a privileged resource? > -- > Justin T. Gibbs > =========================================== > FreeBSD: Turning PCs into workstations > =========================================== -- -- Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity http://www.mcs.net/~karl | T1 from $600 monthly; speeds to DS-3 available | 23 Chicagoland Prefixes, 13 ISDN, much more Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/ Fax: [+1 312 248-9865] | Home of Chicago's only FULL Clarinet feed!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610180542.AAA11030>