From owner-freebsd-security Sun Aug 25 21:13:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA15771 for security-outgoing; Sun, 25 Aug 1996 21:13:24 -0700 (PDT) Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id VAA15764 for ; Sun, 25 Aug 1996 21:13:22 -0700 (PDT) Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id VAA16519; Sun, 25 Aug 1996 21:13:13 -0700 From: Nathan Lawson Message-Id: <199608260413.VAA16519@kdat.calpoly.edu> Subject: Re: Xt Vulnerability and suggested exec patch To: gene@starkhome.cs.sunysb.edu (Gene Stark) Date: Sun, 25 Aug 1996 21:13:13 -0700 (PDT) Cc: freebsd-security@freebsd.org In-Reply-To: <199608260330.XAA12903@starkhome.cs.sunysb.edu> from "Gene Stark" at Aug 25, 96 11:30:42 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > This is the worst one yet for me. A crazy idea occurred to me, what do > other people think? Why not nip all this stuff in the bud by changing the > semantics of exec() so that setuid privilege is turned off unless the > program has previously executed a (new) system call that says "I really > want setuid privileges to be passed to my children." No. Since this is an overflow problem, the exploiter can execute arbitrary assembly code on the target. This can be any system call and the OS has no way of knowing whether the program wishes to make this call or has been subverted to do so. In your proposed OS, the assembly code would be "exec /bin/sh, and yes, I do want setuid privileges passed to my children." -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854