From owner-freebsd-audit Sun Sep 2 1:12:44 2001 Delivered-To: freebsd-audit@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id 80FD337B407; Sun, 2 Sep 2001 01:12:33 -0700 (PDT) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f828C7443777; Sun, 2 Sep 2001 10:12:07 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.6/8.11.4) with ESMTP id f81J3jH04734; Sat, 1 Sep 2001 20:03:45 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200109011903.f81J3jH04734@grimreaper.grondar.za> To: Joerg Wunsch Cc: audit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: -a in opiekey(1) doesn't work References: <20010829171034.A69622@nagual.pp.ru> In-Reply-To: <20010829171034.A69622@nagual.pp.ru> ; from "Andrey A. Chernov" "Wed, 29 Aug 2001 17:10:36 +0400." Date: Sat, 01 Sep 2001 20:03:45 +0100 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Said "Andrey A. Chernov" : > On Wed, Aug 29, 2001 at 12:58:44 +0200, Joerg Wunsch wrote: > > - if (!(flags & 2) && opiepasscheck(secret)) { > > + if (!(flags & 2) && !aflag && opiepasscheck(secret)) { > > Ok from me. And me. M -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Sep 2 19:35:24 2001 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 9E8CC37B506; Sun, 2 Sep 2001 19:35:17 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id f832ZGX13046; Sun, 2 Sep 2001 20:35:16 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.3/8.11.4) with ESMTP id f832ZFh22600; Sun, 2 Sep 2001 20:35:15 -0600 (MDT) (envelope-from imp@harmony.village.org) Message-Id: <200109030235.f832ZFh22600@harmony.village.org> To: Mike Barcroft Subject: Re: users.c PATCH - please review Cc: David Hill , audit@FreeBSD.ORG In-reply-to: Your message of "Sat, 01 Sep 2001 12:58:02 EDT." <20010901125802.F85574@coffee.q9media.com> References: <20010901125802.F85574@coffee.q9media.com> <20010831160414.7125e88e.david@phobia.ms> Date: Sun, 02 Sep 2001 20:35:14 -0600 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20010901125802.F85574@coffee.q9media.com> Mike Barcroft writes: : David Hill writes: : > I have patched users/users.c so that it will compile under WARNS?=2. I have both attached and cut/pasted it to the message. : > Please review it. : : > diff -ru /usr/src/usr.bin/users.orig/users.c /usr/src/usr.bin/users/users.c : > --- /usr/src/usr.bin/users.orig/users.c Fri Aug 27 21:07:14 1999 : > +++ /usr/src/usr.bin/users/users.c Fri Aug 31 15:58:20 2001 : > @@ -117,5 +117,8 @@ : > scmp(p, q) : > const void *p, *q; : > { : > - return(strncmp((char *)p, (char *)q, UT_NAMESIZE)); : > + const char *const pp1 = p; : > + const char *const pp2 = q; : > + : > + return(strncmp(pp1, pp2, UT_NAMESIZE)); : > } : : Why create new local variables? Just get rid of the bogus casts. Why not just return (strncmp((const char *)p, (const char *)q, UT_NAMESIZE)); Also, const char *const is wrong. No need for the second const. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Sep 2 22:54:56 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 61E9637B403 for ; Sun, 2 Sep 2001 22:54:46 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id DC56D66DE1; Sun, 2 Sep 2001 22:54:45 -0700 (PDT) Date: Sun, 2 Sep 2001 22:54:45 -0700 From: Kris Kennaway To: audit@FreeBSD.org Subject: issetugid checks revisited Message-ID: <20010902225445.A27902@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I posted a broken version of this a few weeks ago. I think this updated version fixes all of the bugs..reviews, please? Kris Index: lib/libc/db/test/dbtest.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/db/test/dbtest.c,v retrieving revision 1.4 diff -u -r1.4 dbtest.c --- lib/libc/db/test/dbtest.c 2000/08/04 10:50:21 1.4 +++ lib/libc/db/test/dbtest.c 2001/08/20 07:44:18 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -155,9 +156,8 @@ * want it around, and it often screws up tests. */ if (fname =3D=3D NULL) { - p =3D getenv("TMPDIR"); - if (p =3D=3D NULL) - p =3D "/var/tmp"; + if (issetugid() !=3D 0 || (p =3D getenv("TMPDIR")) =3D=3D NULL); + p =3D _PATH_VARTMP; (void)snprintf(buf, sizeof(buf), "%s/__dbtest", p); fname =3D buf; (void)unlink(buf); Index: lib/libc/gen/exec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/gen/exec.c,v retrieving revision 1.17 diff -u -r1.17 exec.c --- lib/libc/gen/exec.c 2001/08/13 14:06:21 1.17 +++ lib/libc/gen/exec.c 2001/08/20 07:45:03 @@ -222,7 +222,7 @@ } =20 /* Get the path we're searching. */ - if (!(path =3D getenv("PATH"))) + if (issetugid() !=3D 0 || (path =3D getenv("PATH")) =3D=3D NULL) path =3D _PATH_DEFPATH; cur =3D alloca(strlen(path) + 1); if (cur =3D=3D NULL) { Index: lib/libc/rpc/getnetpath.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/rpc/getnetpath.c,v retrieving revision 1.1 diff -u -r1.1 getnetpath.c --- lib/libc/rpc/getnetpath.c 2001/03/19 12:49:51 1.1 +++ lib/libc/rpc/getnetpath.c 2001/08/19 04:35:18 @@ -105,7 +105,7 @@ } np_sessionp->valid =3D NP_VALID; np_sessionp->ncp_list =3D NULL; - if ((npp =3D getenv(NETPATH)) =3D=3D NULL) { + if (issetugid() !=3D 0 || (npp =3D getenv(NETPATH)) =3D=3D NULL) { np_sessionp->netpath =3D NULL; } else { (void) endnetconfig(np_sessionp->nc_handlep);/* won't need nc session*/ Index: lib/libc/stdio/tmpfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc/stdio/tmpfile.c,v retrieving revision 1.6 diff -u -r1.6 tmpfile.c --- lib/libc/stdio/tmpfile.c 2001/07/07 04:08:32 1.6 +++ lib/libc/stdio/tmpfile.c 2001/08/20 07:45:29 @@ -61,8 +61,7 @@ char *buf; const char *tmpdir; =20 - tmpdir =3D getenv("TMPDIR"); - if (tmpdir =3D=3D NULL) + if (issetugid() !=3D 0 || (tmpdir =3D getenv("TMPDIR")) =3D=3D NULL) tmpdir =3D _PATH_TMP; =20 (void)asprintf(&buf, "%s%s%s", tmpdir, Index: lib/libc_r/uthread/uthread_info.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libc_r/uthread/uthread_info.c,v retrieving revision 1.20 diff -u -r1.20 uthread_info.c --- lib/libc_r/uthread/uthread_info.c 2001/08/11 05:16:00 1.20 +++ lib/libc_r/uthread/uthread_info.c 2001/08/20 07:46:25 @@ -31,13 +31,14 @@ * * $FreeBSD: src/lib/libc_r/uthread/uthread_info.c,v 1.20 2001/08/11 05:16= :00 imp Exp $ */ +#include +#include #include #include -#include #include -#include +#include #include -#include +#include #include "pthread_private.h" =20 #ifndef NELEMENTS @@ -85,15 +86,18 @@ int fd; int i; pthread_t pthread; - char tmpfile[128]; + char *tmpdir; + char tmpfile[PATH_MAX]; pq_list_t *pq_list; =20 + if (issetugid() !=3D 0 || (tmpdir =3D getenv("TMPDIR")) =3D=3D NULL) + tmpdir =3D _PATH_TMP; for (i =3D 0; i < 100000; i++) { - snprintf(tmpfile, sizeof(tmpfile), "/tmp/uthread.dump.%u.%i", - getpid(), i); + snprintf(tmpfile, sizeof(tmpfile), "%s/uthread.dump.%u.%i", + tmpdir, getpid(), i); /* Open the dump file for append and create it if necessary: */ if ((fd =3D __sys_open(tmpfile, O_RDWR | O_CREAT | O_EXCL, - 0666)) < 0) { + 0644)) < 0) { /* Can't open the dump file. */ if (errno =3D=3D EEXIST) continue; Index: lib/libcompat/4.3/rexec.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libcompat/4.3/rexec.c,v retrieving revision 1.6 diff -u -r1.6 rexec.c --- lib/libcompat/4.3/rexec.c 2000/08/04 11:15:48 1.6 +++ lib/libcompat/4.3/rexec.c 2001/08/20 10:23:33 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include =20 @@ -144,8 +145,15 @@ char myname[MAXHOSTNAMELEN], *mydomain; int t, i, c, usedefault =3D 0; struct stat stb; + struct passwd *pwd; =20 - hdir =3D getenv("HOME"); + if (issetugid() !=3D 0 || (hdir =3D getenv("HOME")) =3D=3D NULL) { + pwd =3D getpwuid(getuid()); + if (pwd =3D=3D NULL) + return (0); + hdir =3D pwd->pw_dir; + } + if (hdir =3D=3D NULL) hdir =3D "."; if (strlen(hdir) + 8 > sizeof(buf)) Index: lib/libncp/ncpl_rcfile.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/lib/libncp/ncpl_rcfile.c,v retrieving revision 1.3 diff -u -r1.3 ncpl_rcfile.c --- lib/libncp/ncpl_rcfile.c 2000/05/26 02:00:20 1.3 +++ lib/libncp/ncpl_rcfile.c 2001/08/20 10:23:08 @@ -389,8 +389,15 @@ ncp_open_rcfile(void) { char *home, *fn; int error; + struct passwd *pwd; =20 - home =3D getenv("HOME"); + if (issetugid() !=3D 0 || (home =3D getenv("HOME")) =3D=3D NULL) { + pwd =3D getpwuid(getuid()); + if (pwd =3D=3D NULL) + return 0; + home =3D pwd->pw_dir; + } + if (home) { fn =3D malloc(strlen(home) + 20); sprintf(fn, "%s/.nwfsrc", home); Index: gnu/lib/libdialog/rc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /mnt/ncvs/src/gnu/lib/libdialog/rc.c,v retrieving revision 1.2 diff -u -r1.2 rc.c --- gnu/lib/libdialog/rc.c 1994/10/20 21:56:43 1.2 +++ gnu/lib/libdialog/rc.c 2001/08/20 07:55:27 @@ -86,8 +86,8 @@ int parse_rc(void) { int i, l =3D 1, parse, fg, bg, hl; - unsigned char str[MAX_LEN+1], *var, *value, *tempptr; - FILE *rc_file; + unsigned char str[MAX_LEN+1], *var, *value, *tempptr =3D NULL; + FILE *rc_file =3D NULL; =20 /* * @@ -103,12 +103,12 @@ * */ =20 - if ((tempptr =3D getenv("DIALOGRC")) !=3D NULL) + if (issetugid() =3D=3D 0 && (tempptr =3D getenv("DIALOGRC")) !=3D NULL) rc_file =3D fopen(tempptr, "rt"); =20 if (tempptr =3D=3D NULL || rc_file =3D=3D NULL) { /* step (a) failed?= */ /* try step (b) */ - if ((tempptr =3D getenv("HOME")) =3D=3D NULL) + if (issetugid() !=3D 0 || (tempptr =3D getenv("HOME")) =3D=3D NULL) return 0; /* step (b) failed, use default values */ =20 if (tempptr[0] =3D=3D '\0' || lastch(tempptr) =3D=3D '/') --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7kxslWry0BWjoQKURAszbAJ9kJr3vO/qc3EWEYI39cq9YxfJUzgCeOfcc 0ggDdqHpwaWx9a3rJx6Mz/U= =KMwF -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 0:32:13 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id C2E7937B401; Mon, 3 Sep 2001 00:31:55 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f837VrQ06082; Mon, 3 Sep 2001 11:31:53 +0400 (MSD) (envelope-from ache) Date: Mon, 3 Sep 2001 11:31:50 +0400 From: "Andrey A. Chernov" To: current@freebsd.org, audit@freebsd.org Subject: CFR: strtol{l}() fixes Message-ID: <20010903113148.A6055@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Fixes list: Locale *is* used in strtol()/strtoll(), at least for isspace(), so remove 'locale not used' statement from comments and BUGS section of manpage. strtol(): fix non-portable 'cutoff' calculation using the same method as in strtoll(). Cleanup 'cutoff' calculation, remove unneded casts. Misc. cleanup to make two functions looks the same. Implement EINVAL reaction per POSIX, document it in manpage, corresponding POSIX quotes here: ------------------------------------------------ If the subject sequence is empty or does not have the expected form, no conversion is performed; the value of str is stored in the object pointed to by endptr, provided that endptr is not a null pointer. If no conversion could be performed, 0 shall be returned and errno may be set to [EINVAL]. [EINVAL] The value of base is not supported. Since 0, {LONG_MIN} or {LLONG_MIN}, and {LONG_MAX} or {LLONG_MAX} are returned on error and are also valid returns on success, an application wishing to check for error situations should set errno to 0, then call strtol( ) or strtoll ( ), then check errno. ----------------------------------------------------- --- strtoll.c.old Tue Feb 27 22:50:52 2001 +++ strtoll.c Mon Sep 3 11:26:35 2001 @@ -50,7 +50,7 @@ /* * Convert a string to a long long integer. * - * Ignores `locale' stuff. Assumes that the upper and lower case + * Assumes that the upper and lower case * alphabets and digits are each contiguous. */ long long @@ -62,7 +62,7 @@ register const char *s; register unsigned long long acc; register unsigned char c; - register unsigned long long qbase, cutoff; + register unsigned long long cutoff; register int neg, any, cutlim; /* @@ -90,6 +90,9 @@ } if (base == 0) base = c == '0' ? 8 : 10; + any = 0; + if (base < 2 || base > 36) + goto noconv; /* * Compute the cutoff value between legal numbers and illegal @@ -106,15 +109,14 @@ * next digit is > 7 (or 8), the number is too big, and we will * return a range error. * - * Set any if any `digits' consumed; make it negative to indicate + * Set 'any' if any `digits' consumed; make it negative to indicate * overflow. */ - qbase = (unsigned)base; cutoff = neg ? (unsigned long long)-(LLONG_MIN + LLONG_MAX) + LLONG_MAX : LLONG_MAX; - cutlim = cutoff % qbase; - cutoff /= qbase; - for (acc = 0, any = 0;; c = *s++) { + cutlim = cutoff % base; + cutoff /= base; + for (acc = 0; ; c = *s++) { if (!isascii(c)) break; if (isdigit(c)) @@ -129,16 +131,19 @@ any = -1; else { any = 1; - acc *= qbase; + acc *= base; acc += c; } } if (any < 0) { acc = neg ? LLONG_MIN : LLONG_MAX; errno = ERANGE; + } else if (!any) { +noconv: + errno = EINVAL; } else if (neg) acc = -acc; - if (endptr != 0) + if (endptr != NULL) *endptr = (char *)(any ? s - 1 : nptr); return (acc); } --- strtol.c.old Fri Jul 12 22:55:24 1996 +++ strtol.c Mon Sep 3 10:54:32 2001 @@ -44,7 +44,7 @@ /* * Convert a string to a long integer. * - * Ignores `locale' stuff. Assumes that the upper and lower case + * Assumes that the upper and lower case * alphabets and digits are each contiguous. */ long @@ -53,25 +53,29 @@ char **endptr; register int base; { - register const char *s = nptr; + register const char *s; register unsigned long acc; register unsigned char c; register unsigned long cutoff; - register int neg = 0, any, cutlim; + register int neg, any, cutlim; /* * Skip white space and pick up leading +/- sign if any. * If base is 0, allow 0x for hex and 0 for octal, else * assume decimal; if base is already 16, allow 0x. */ + s = nptr; do { c = *s++; } while (isspace(c)); if (c == '-') { neg = 1; c = *s++; - } else if (c == '+') - c = *s++; + } else { + neg = 0; + if (c == '+') + c = *s++; + } if ((base == 0 || base == 16) && c == '0' && (*s == 'x' || *s == 'X')) { c = s[1]; @@ -80,6 +84,9 @@ } if (base == 0) base = c == '0' ? 8 : 10; + any = 0; + if (base < 2 || base > 36) + goto noconv; /* * Compute the cutoff value between legal numbers and illegal @@ -95,13 +102,14 @@ * a value > 214748364, or equal but the next digit is > 7 (or 8), * the number is too big, and we will return a range error. * - * Set any if any `digits' consumed; make it negative to indicate + * Set 'any' if any `digits' consumed; make it negative to indicate * overflow. */ - cutoff = neg ? -(unsigned long)LONG_MIN : LONG_MAX; - cutlim = cutoff % (unsigned long)base; - cutoff /= (unsigned long)base; - for (acc = 0, any = 0;; c = *s++) { + cutoff = neg ? (unsigned long)-(LONG_MIN + LONG_MAX) + LONG_MAX + : LONG_MAX; + cutlim = cutoff % base; + cutoff /= base; + for (acc = 0; ; c = *s++) { if (!isascii(c)) break; if (isdigit(c)) @@ -123,9 +131,12 @@ if (any < 0) { acc = neg ? LONG_MIN : LONG_MAX; errno = ERANGE; + } else if (!any) { +noconv: + errno = EINVAL; } else if (neg) acc = -acc; - if (endptr != 0) + if (endptr != NULL) *endptr = (char *)(any ? s - 1 : nptr); return (acc); } --- strtol.3.old Thu Mar 1 16:21:48 2001 +++ strtol.3 Mon Sep 3 10:37:53 2001 @@ -144,9 +144,16 @@ .Sh RETURN VALUES The .Fn strtol +or +.Fn strtoll function returns the result of the conversion, unless the value would underflow or overflow. +If no conversion could be performed, 0 shall be returned and +.Va errno +will be +set to +.Er EINVAL . If an underflow occurs, .Fn strtol returns @@ -155,11 +162,6 @@ .Fn strtol returns .Dv LONG_MAX . -The -.Fn strtoll -function -returns the result of the conversion, -unless the value would underflow or overflow. If an underflow occurs, .Fn strtoll returns @@ -174,6 +176,9 @@ .Er ERANGE . .Sh ERRORS .Bl -tag -width Er +.It Bq Er EINVAL +The value of base is not supported or +no conversion could be performed. .It Bq Er ERANGE The given string was out of range; the value converted has been clamped. .El @@ -198,5 +203,3 @@ .Bx .Fn strtoq function is deprecated. -.Sh BUGS -Ignores the current locale. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 1: 0: 5 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id D38EC37B406 for ; Mon, 3 Sep 2001 00:59:55 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f837xYg57495; Mon, 3 Sep 2001 10:59:34 +0300 (EEST) (envelope-from ru) Date: Mon, 3 Sep 2001 10:59:34 +0300 From: Ruslan Ermilov To: Kris Kennaway Cc: audit@FreeBSD.ORG Subject: Re: issetugid checks revisited Message-ID: <20010903105934.C49997@sunbay.com> References: <20010902225445.A27902@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010902225445.A27902@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Sep 02, 2001 at 10:54:45PM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Sep 02, 2001 at 10:54:45PM -0700, Kris Kennaway wrote: > I posted a broken version of this a few weeks ago. I think this > updated version fixes all of the bugs..reviews, please? > issetugid() is boolean, no need for ``!= 0''. > Index: lib/libc/rpc/getnetpath.c > Missing ``include ''. > Index: lib/libc_r/uthread/uthread_info.c > [...] > +#include > +#include > #include > #include > -#include > #include > -#include > +#include > #include > -#include > +#include > #include "pthread_private.h" > Sort includes in a separate commit? [...] > - char tmpfile[128]; > + char *tmpdir; > + char tmpfile[PATH_MAX]; > Missing `const' qualifier. > Index: lib/libcompat/4.3/rexec.c > [...] > @@ -144,8 +145,15 @@ > char myname[MAXHOSTNAMELEN], *mydomain; > int t, i, c, usedefault = 0; > struct stat stb; > + struct passwd *pwd; > > - hdir = getenv("HOME"); > + if (issetugid() != 0 || (hdir = getenv("HOME")) == NULL) { > + pwd = getpwuid(getuid()); > + if (pwd == NULL) > + return (0); > + hdir = pwd->pw_dir; > + } > + > if (hdir == NULL) > hdir = "."; > if (strlen(hdir) + 8 > sizeof(buf)) > Hmm, you are changing the semantics of the ruserpass() function, even if it's not setugid, and the HOME variable isn't set. Is this intentional? > Index: gnu/lib/libdialog/rc.c > =================================================================== > - unsigned char str[MAX_LEN+1], *var, *value, *tempptr; > - FILE *rc_file; > + unsigned char str[MAX_LEN+1], *var, *value, *tempptr = NULL; > + FILE *rc_file = NULL; > > /* > * > @@ -103,12 +103,12 @@ > * > */ > > - if ((tempptr = getenv("DIALOGRC")) != NULL) > + if (issetugid() == 0 && (tempptr = getenv("DIALOGRC")) != NULL) > rc_file = fopen(tempptr, "rt"); > How about: else tempptr = rc_file = NULL; instead on initializations above? Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 9:25:14 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 0A68137B408; Mon, 3 Sep 2001 09:24:56 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f83GOnn36329; Mon, 3 Sep 2001 19:24:49 +0300 (EEST) (envelope-from ru) Date: Mon, 3 Sep 2001 19:24:49 +0300 From: Ruslan Ermilov To: Warner Losh , Bruce Evans , Kris Kennaway , Mark Murray Cc: audit@FreeBSD.org Subject: wall -g is broken Message-ID: <20010903192449.B29616@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi! As the subject line says, ``wall -g'' appears to be broken. I feel somewhat confused, as the original list of reviewers looks quite amazing: imp, bde, kris, markm, audit@. The use of the getgroups(3) function is unproven since: 1) Its first argument should specify the array size, and is of type `int', not `gid_t'. 2) The code gives false matches and does not produce the required matches. Instead of checking the membership of each line's owner in the -g list of groups, the code gives a match if at least one of the -g groups matches those of the process's groups, as returned by getgroups(). Thus, wall -g `id -gn` will match the entire ttys(5). The attached patch fixes this. Please _REALLY_ review this now! This bug was obtained from OpenBSD, but without mentioning this in the commit log's ``Obtained from: '' field. The bug is still present in OpenBSD. Thanks, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: wall.c =================================================================== RCS file: /home/ncvs/src/usr.bin/wall/wall.c,v retrieving revision 1.19 diff -u -p -r1.19 wall.c --- wall.c 2001/05/08 11:11:42 1.19 +++ wall.c 2001/09/03 16:19:54 @@ -87,18 +87,16 @@ main(int argc, char *argv[]) { struct iovec iov; struct utmp utmp; - gid_t grps[NGROUPS_MAX]; int ch; - int ingroup, ngrps, i; + int ingroup; FILE *fp; struct wallgroup *g; struct group *grp; - char *p; + char *p, **np; struct passwd *pw; char line[sizeof(utmp.ut_line) + 1]; char username[sizeof(utmp.ut_name) + 1]; - ingroup = 0; (void)setlocale(LC_CTYPE, ""); while ((ch = getopt(argc, argv, "g:n")) != -1) @@ -144,19 +142,24 @@ main(int argc, char *argv[]) !strncmp(utmp.ut_name, IGNOREUSER, sizeof(utmp.ut_name))) continue; if (grouplist) { + ingroup = 0; strlcpy(username, utmp.ut_name, sizeof(utmp.ut_name)); pw = getpwnam(username); if (!pw) continue; - ngrps = getgroups(pw->pw_gid, grps); for (g = grouplist; g && ingroup == 0; g = g->next) { if (g->gid == -1) continue; if (g->gid == pw->pw_gid) ingroup = 1; - for (i = 0; i < ngrps && ingroup == 0; i++) - if (g->gid == grps[i]) - ingroup = 1; + else if ((grp = getgrgid(g->gid)) != NULL) { + for (np = grp->gr_mem; *np; np++) { + if (strcmp(*np, username) == 0) { + ingroup = 1; + break; + } + } + } } if (ingroup == 0) continue; --/9DWx/yDrRhgMJTb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 10:19:41 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 842C637B40C; Mon, 3 Sep 2001 10:19:15 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f83HJ9143379; Mon, 3 Sep 2001 20:19:09 +0300 (EEST) (envelope-from ru) Date: Mon, 3 Sep 2001 20:19:09 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Cc: audit@FreeBSD.org Subject: dropping ``setgid tty'' in dump(8) Message-ID: <20010903201909.C29616@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="U+BazGySraz5kW0T" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi! The attached patch replaces the ``wall -g'' functionality built into dump(8) directly with the call to wall(1), thus making it possible to drop the ``setgid tty'' privilege. The DIALUP check was weak, and was also removed. The patch is based on the OpenBSD's work. I've posted another message to the -audit that makes ``wall -g'' really work. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: Makefile =================================================================== RCS file: /home/ncvs/src/sbin/dump/Makefile,v retrieving revision 1.14 diff -u -p -r1.14 Makefile --- Makefile 2001/03/26 14:33:00 1.14 +++ Makefile 2001/09/03 16:57:01 @@ -18,8 +18,6 @@ LINKS= ${BINDIR}/dump ${BINDIR}/rdump CFLAGS+=-DRDUMP CFLAGS+=-I${.CURDIR}/../../libexec/rlogind SRCS= itime.c main.c optr.c dumprmt.c tape.c traverse.c unctime.c -BINGRP= tty -BINMODE=2555 MAN= dump.8 MLINKS+=dump.8 rdump.8 Index: dump.h =================================================================== RCS file: /home/ncvs/src/sbin/dump/dump.h,v retrieving revision 1.9 diff -u -p -r1.9 dump.h --- dump.h 2001/08/10 23:12:10 1.9 +++ dump.h 2001/09/03 16:57:01 @@ -100,7 +100,6 @@ void msg __P((const char *fmt, ...)) __p void msgtail __P((const char *fmt, ...)) __printflike(1, 2); int query __P((char *question)); void quit __P((const char *fmt, ...)) __printflike(1, 2); -void set_operators __P((void)); void timeest __P((void)); time_t unctime __P((char *str)); @@ -151,7 +150,6 @@ void interrupt __P((int signo)); /* in c #define X_ABORT 3 /* abort dump; don't attempt checkpointing */ #define OPGRENT "operator" /* group entry to notify */ -#define DIALUP "ttyd" /* prefix for dialups */ struct fstab *fstabsearch __P((char *key)); /* search fs_file and fs_spec */ Index: main.c =================================================================== RCS file: /home/ncvs/src/sbin/dump/main.c,v retrieving revision 1.26 diff -u -p -r1.26 main.c --- main.c 2001/07/09 03:06:56 1.26 +++ main.c 2001/09/03 16:57:03 @@ -287,7 +287,6 @@ main(argc, argv) if (signal(SIGINT, interrupt) == SIG_IGN) signal(SIGINT, SIG_IGN); - set_operators(); /* /etc/group snarfed */ getfstab(); /* /etc/fstab snarfed */ /* * disk can be either the full special file name, Index: optr.c =================================================================== RCS file: /home/ncvs/src/sbin/dump/optr.c,v retrieving revision 1.12 diff -u -p -r1.12 optr.c --- optr.c 2001/01/29 09:45:51 1.12 +++ optr.c 2001/09/03 16:57:03 @@ -59,7 +59,6 @@ static const char rcsid[] = void alarmcatch __P((/* int, int */)); int datesort __P((const void *, const void *)); -static void sendmes __P((char *, char *)); /* * Query the operator; This previously-fascist piece of code @@ -117,7 +116,7 @@ query(question) return(back); } -char lastmsg[100]; +char lastmsg[BUFSIZ]; /* * Alert the console operator, and enable the alarm clock to @@ -159,130 +158,33 @@ interrupt(signo) } /* - * The following variables and routines manage alerting - * operators to the status of dump. - * This works much like wall(1) does. + * We now use wall(1) to do the actual broadcasting. */ -struct group *gp; - -/* - * Get the names from the group entry "operator" to notify. - */ -void -set_operators() -{ - if (!notify) /*not going to notify*/ - return; - gp = getgrnam(OPGRENT); - (void) endgrent(); - if (gp == NULL) { - msg("No group entry for %s.\n", OPGRENT); - notify = 0; - return; - } -} - -struct tm *localclock; - -/* - * We fork a child to do the actual broadcasting, so - * that the process control groups are not messed up - */ void broadcast(message) char *message; { - time_t clock; - FILE *f_utmp; - struct utmp utmp; - char **np; - int pid, s; + FILE *fp; + char buf[sizeof(_PATH_WALL) + sizeof(OPGRENT) + 3]; - if (!notify || gp == NULL) + if (!notify) return; - switch (pid = fork()) { - case -1: + snprintf(buf, sizeof(buf), "%s -g %s", _PATH_WALL, OPGRENT); + if ((fp = popen(buf, "w")) == NULL) return; - case 0: - break; - default: - while (wait(&s) != pid) - continue; - return; - } - - clock = time((time_t *)0); - localclock = localtime(&clock); - - if ((f_utmp = fopen(_PATH_UTMP, "r")) == NULL) { - msg("Cannot open %s: %s\n", _PATH_UTMP, strerror(errno)); - return; - } - while (!feof(f_utmp)) { - if (fread((char *) &utmp, sizeof (struct utmp), 1, f_utmp) != 1) - break; - if (utmp.ut_name[0] == 0) - continue; - for (np = gp->gr_mem; *np; np++) { - if (strncmp(*np, utmp.ut_name, sizeof(utmp.ut_name)) != 0) - continue; - /* - * Do not send messages to operators on dialups - */ - if (strncmp(utmp.ut_line, DIALUP, strlen(DIALUP)) == 0) - continue; -#ifdef DEBUG - msg("Message to %s at %s\n", *np, utmp.ut_line); -#endif - sendmes(utmp.ut_line, message); - } - } - (void) fclose(f_utmp); - Exit(0); /* the wait in this same routine will catch this */ - /* NOTREACHED */ -} + (void) fputs("\a\a\aMessage from the dump program to all operators\n\nDUMP: NEEDS ATTENTION: ", fp); + if (lastmsg[0]) + (void) fputs(lastmsg, fp); + if (message[0]) + (void) fputs(message, fp); -static void -sendmes(tty, message) - char *tty, *message; -{ - char t[MAXPATHLEN], buf[BUFSIZ]; - register char *cp; - int lmsg = 1; - FILE *f_tty; - - (void) strcpy(t, _PATH_DEV); - (void) strncat(t, tty, sizeof t - strlen(_PATH_DEV) - 1); - - if ((f_tty = fopen(t, "w")) != NULL) { - setbuf(f_tty, buf); - (void) fprintf(f_tty, - "\n\ -\a\a\aMessage from the dump program to all operators at %d:%02d ...\r\n\n\ -DUMP: NEEDS ATTENTION: ", - localclock->tm_hour, localclock->tm_min); - for (cp = lastmsg; ; cp++) { - if (*cp == '\0') { - if (lmsg) { - cp = message; - if (*cp == '\0') - break; - lmsg = 0; - } else - break; - } - if (*cp == '\n') - (void) putc('\r', f_tty); - (void) putc(*cp, f_tty); - } - (void) fclose(f_tty); - } + (void) pclose(fp); } /* - * print out an estimate of the amount of time left to do the dump + * Print out an estimate of the amount of time left to do the dump */ time_t tschedule = 0; Index: pathnames.h =================================================================== RCS file: /home/ncvs/src/sbin/dump/pathnames.h,v retrieving revision 1.6 diff -u -p -r1.6 pathnames.h --- pathnames.h 2001/03/08 09:04:39 1.6 +++ pathnames.h 2001/09/03 16:57:03 @@ -41,3 +41,4 @@ #define _PATH_DUMPDATES "/etc/dumpdates" #define _PATH_LOCK "/tmp/dumplockXXXXXX" #define _PATH_RMT "/etc/rmt" /* path on remote host */ +#define _PATH_WALL "/usr/bin/wall" --U+BazGySraz5kW0T-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 11:11:26 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 6890137B407; Mon, 3 Sep 2001 11:11:18 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f83IBGw15237; Mon, 3 Sep 2001 22:11:17 +0400 (MSD) (envelope-from ache) Date: Mon, 3 Sep 2001 22:11:16 +0400 From: "Andrey A. Chernov" To: current@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: CFR: strtol{l}() fixes Message-ID: <20010903221116.A15133@nagual.pp.ru> References: <20010903113148.A6055@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010903113148.A6055@nagual.pp.ru> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Sep 03, 2001 at 11:31:50 +0400, Andrey A. Chernov wrote: > Fixes list: > BTW, I have very similar fixes to strtoul/strtoull -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 14:20:55 2001 Delivered-To: freebsd-audit@freebsd.org Received: from green.bikeshed.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B50EF37B403; Mon, 3 Sep 2001 14:20:51 -0700 (PDT) Received: from localhost (green@localhost) by green.bikeshed.org (8.11.4/8.11.1) with ESMTP id f83LKoS53035; Mon, 3 Sep 2001 17:20:50 -0400 (EDT) (envelope-from green@green.bikeshed.org) Message-Id: <200109032120.f83LKoS53035@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Warner Losh Cc: Mike Barcroft , David Hill , audit@FreeBSD.ORG Subject: Re: users.c PATCH - please review In-Reply-To: Message from Warner Losh of "Sun, 02 Sep 2001 20:35:14 MDT." <200109030235.f832ZFh22600@harmony.village.org> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 Sep 2001 17:20:50 -0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Warner Losh wrote: > In message <20010901125802.F85574@coffee.q9media.com> Mike Barcroft writes: > : David Hill writes: > : > I have patched users/users.c so that it will compile under WARNS?=2. I have both attached and cut/pasted it to the message. > : > Please review it. > : > : > diff -ru /usr/src/usr.bin/users.orig/users.c /usr/src/usr.bin/users/users.c > : > --- /usr/src/usr.bin/users.orig/users.c Fri Aug 27 21:07:14 1999 > : > +++ /usr/src/usr.bin/users/users.c Fri Aug 31 15:58:20 2001 > : > @@ -117,5 +117,8 @@ > : > scmp(p, q) > : > const void *p, *q; > : > { > : > - return(strncmp((char *)p, (char *)q, UT_NAMESIZE)); > : > + const char *const pp1 = p; > : > + const char *const pp2 = q; > : > + > : > + return(strncmp(pp1, pp2, UT_NAMESIZE)); > : > } > : > : Why create new local variables? Just get rid of the bogus casts. > > Why not just > return (strncmp((const char *)p, (const char *)q, UT_NAMESIZE)); > > Also, const char *const is wrong. No need for the second const. Technically, there's nothing wrong with declaring "a const pointer to a const character", just casting to that would be very strange (and probably illegal; not sure). In any case, I'm not sure I see the point of not just using two (const char *) casts and not increasing the function size other than adding a blank line and space for style(9). That should remove any warning about casting away const qualification. -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Mon Sep 3 14:22:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 33D5C37B40B; Mon, 3 Sep 2001 14:22:12 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id f83LMAX16024; Mon, 3 Sep 2001 15:22:11 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.3/8.11.4) with ESMTP id f83LMAh28309; Mon, 3 Sep 2001 15:22:10 -0600 (MDT) (envelope-from imp@harmony.village.org) Message-Id: <200109032122.f83LMAh28309@harmony.village.org> To: "Brian F. Feldman" Subject: Re: users.c PATCH - please review Cc: Mike Barcroft , David Hill , audit@FreeBSD.ORG In-reply-to: Your message of "Mon, 03 Sep 2001 17:20:50 EDT." <200109032120.f83LKoS53035@green.bikeshed.org> References: <200109032120.f83LKoS53035@green.bikeshed.org> Date: Mon, 03 Sep 2001 15:22:10 -0600 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <200109032120.f83LKoS53035@green.bikeshed.org> "Brian F. Feldman" writes: : Warner Losh wrote: : > In message <20010901125802.F85574@coffee.q9media.com> Mike Barcroft writes: : > : David Hill writes: : > : > I have patched users/users.c so that it will compile under WARNS?=2. I have both attached and cut/pasted it to the message. : > : > Please review it. : > : : > : > diff -ru /usr/src/usr.bin/users.orig/users.c /usr/src/usr.bin/users/users.c : > : > --- /usr/src/usr.bin/users.orig/users.c Fri Aug 27 21:07:14 1999 : > : > +++ /usr/src/usr.bin/users/users.c Fri Aug 31 15:58:20 2001 : > : > @@ -117,5 +117,8 @@ : > : > scmp(p, q) : > : > const void *p, *q; : > : > { : > : > - return(strncmp((char *)p, (char *)q, UT_NAMESIZE)); : > : > + const char *const pp1 = p; : > : > + const char *const pp2 = q; : > : > + : > : > + return(strncmp(pp1, pp2, UT_NAMESIZE)); : > : > } : > : : > : Why create new local variables? Just get rid of the bogus casts. : > : > Why not just : > return (strncmp((const char *)p, (const char *)q, UT_NAMESIZE)); : > : > Also, const char *const is wrong. No need for the second const. : : Technically, there's nothing wrong with declaring "a const pointer to a : const character", just casting to that would be very strange (and probably : illegal; not sure). In any case, I'm not sure I see the point of not just : using two (const char *) casts and not increasing the function size other : than adding a blank line and space for style(9). That should remove any : warning about casting away const qualification. That was rather my point. const char *const is wrong because it is too consty, the second const doesn't buy you anything. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Sep 4 9:47:59 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 1E22A37B40B; Tue, 4 Sep 2001 09:47:18 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f84GlB616365; Tue, 4 Sep 2001 19:47:11 +0300 (EEST) (envelope-from ru) Date: Tue, 4 Sep 2001 19:47:11 +0300 From: Ruslan Ermilov To: Warner Losh , Bruce Evans , Kris Kennaway , Mark Murray Cc: audit@FreeBSD.org Subject: Re: wall -g is broken Message-ID: <20010904194711.I1669@sunbay.com> References: <20010903201909.C29616@sunbay.com> <20010903192449.B29616@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010903192449.B29616@sunbay.com>; from ru@FreeBSD.org on Mon, Sep 03, 2001 at 07:24:49PM +0300 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Unless I hear any intentions to review these patches, I am going to commit them tomorrow morning, local time. I know that your time is limited, but it would be nice to know if you ever going to review this. If so, please tell me your review's deadline. Thanks, On Mon, Sep 03, 2001 at 07:24:49PM +0300, Ruslan Ermilov wrote: > Hi! > > As the subject line says, ``wall -g'' appears to be broken. > > I feel somewhat confused, as the original list of reviewers > looks quite amazing: imp, bde, kris, markm, audit@. > > The use of the getgroups(3) function is unproven since: > > 1) Its first argument should specify the array size, and > is of type `int', not `gid_t'. > > 2) The code gives false matches and does not produce the > required matches. Instead of checking the membership > of each line's owner in the -g list of groups, the > code gives a match if at least one of the -g groups > matches those of the process's groups, as returned > by getgroups(). Thus, > > wall -g `id -gn` > > will match the entire ttys(5). > > The attached patch fixes this. > > Please _REALLY_ review this now! > > > This bug was obtained from OpenBSD, but without mentioning > this in the commit log's ``Obtained from: '' field. The > bug is still present in OpenBSD. > On Mon, Sep 03, 2001 at 08:19:09PM +0300, Ruslan Ermilov wrote: > Hi! > > The attached patch replaces the ``wall -g'' functionality built > into dump(8) directly with the call to wall(1), thus making it > possible to drop the ``setgid tty'' privilege. > > The DIALUP check was weak, and was also removed. > > The patch is based on the OpenBSD's work. > > > I've posted another message to the -audit that makes ``wall -g'' > really work. > -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Sep 4 10:31:28 2001 Delivered-To: freebsd-audit@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 985AE37B407; Tue, 4 Sep 2001 10:31:23 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id f84HVIX19634; Tue, 4 Sep 2001 11:31:18 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.11.3/8.11.4) with ESMTP id f84HVHh36169; Tue, 4 Sep 2001 11:31:17 -0600 (MDT) (envelope-from imp@harmony.village.org) Message-Id: <200109041731.f84HVHh36169@harmony.village.org> To: Ruslan Ermilov Subject: Re: wall -g is broken Cc: Bruce Evans , Kris Kennaway , Mark Murray , audit@FreeBSD.org In-reply-to: Your message of "Tue, 04 Sep 2001 19:47:11 +0300." <20010904194711.I1669@sunbay.com> References: <20010904194711.I1669@sunbay.com> <20010903201909.C29616@sunbay.com> <20010903192449.B29616@sunbay.com> Date: Tue, 04 Sep 2001 11:31:17 -0600 From: Warner Losh Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20010904194711.I1669@sunbay.com> Ruslan Ermilov writes: : Unless I hear any intentions to review these patches, I am : going to commit them tomorrow morning, local time. : : I know that your time is limited, but it would be nice to : know if you ever going to review this. If so, please tell : me your review's deadline. The patches I saw looked good in the macro sense, but I didn't trace out each case. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Tue Sep 4 10:43:58 2001 Delivered-To: freebsd-audit@freebsd.org Received: from arb.arb.za.net (www.powerbox.co.za [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id D593037B408 for ; Tue, 4 Sep 2001 10:43:31 -0700 (PDT) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f84HhVd36466 for audit@freebsd.org; Tue, 4 Sep 2001 19:43:31 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.6/8.11.4) with ESMTP id f84Hbik03671 for ; Tue, 4 Sep 2001 18:37:44 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200109041737.f84Hbik03671@grimreaper.grondar.za> To: audit@freebsd.org Subject: login(1) WARNS=2 cleanup Date: Tue, 04 Sep 2001 18:37:44 +0100 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello all! Please take a look at this; it is primarily a WARNS=2 cleanup for login(1). What is not WARNS=2, is a general code cleanup and ANSIfication. This breaks: K&R M Index: Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/login/Makefile,v retrieving revision 1.36 diff -u -d -r1.36 Makefile --- Makefile 30 Aug 2001 11:27:36 -0000 1.36 +++ Makefile 1 Sep 2001 17:09:07 -0000 @@ -10,6 +10,8 @@ DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} LDADD= -lutil -lcrypt ${MINUSLPAM} +WARNS?= 2 + BINMODE=4555 INSTALLFLAGS=-fschg NEED_LIBNAMES= yes Index: login.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.c,v retrieving revision 1.68 diff -u -d -r1.68 login.c --- login.c 30 Aug 2001 11:27:36 -0000 1.68 +++ login.c 1 Sep 2001 19:20:25 -0000 @@ -82,6 +82,7 @@ #include #include +#include "login.h" #include "pathnames.h" /* wrapper for KAME-special getnameinfo() */ @@ -89,22 +90,24 @@ #define NI_WITHSCOPEID 0 #endif -void badlogin __P((char *)); -void dolastlog __P((int)); -void getloginname __P((void)); -void motd __P((char *)); -int rootterm __P((char *)); -void sigint __P((int)); -void sleepexit __P((int)); -void refused __P((char *,char *,int)); -char *stypeof __P((char *)); -void timedout __P((int)); -int login_access __P((char *, char *)); -void login_fbtab __P((char *, uid_t, gid_t)); +static void badlogin(char *); +static void dolastlog(int); +static void getloginname(void); +static void motd(const char *); +static int rootterm(char *); +static void sigint(int); +static void sleepexit(int); +static void refused(const char *,const char *,int); +static const char *stypeof(char *); +static void timedout(int); -static int auth_pam __P((void)); -static int export_pam_environment __P((void)); -static int ok_to_export __P((const char *)); +static int auth_pam(void); +static int export_pam_environment(void); +static int ok_to_export(const char *); + +static int auth_pam(void); +static int export_pam_environment(void); +static int ok_to_export(const char *); static pam_handle_t *pamh = NULL; static char **environ_pam; @@ -118,9 +121,9 @@ syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \ } -static int auth_traditional __P((void)); -extern void login __P((struct utmp *)); -static void usage __P((void)); +static int auth_traditional(void); +extern void login(struct utmp *); +static void usage(void); #define TTYGRPNAME "tty" /* name of group to own ttys */ #define DEFAULT_BACKOFF 3 @@ -143,9 +146,7 @@ char full_hostname[MAXHOSTNAMELEN]; int -main(argc, argv) - int argc; - char *argv[]; +main(int argc, char *argv[]) { extern char **environ; struct group *gr; @@ -161,6 +162,8 @@ char tbuf[MAXPATHLEN + 2]; char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; + char default_prompt[] = DEFAULT_PROMPT; + char default_passwd_prompt[] = DEFAULT_PASSWD_PROMPT; login_cap_t *lc = NULL; pid_t pid; int e; @@ -234,7 +237,7 @@ sleepexit(1); } } else - optarg = "invalid hostname"; + optarg = strdup("invalid hostname"); if (res != NULL) freeaddrinfo(res); } @@ -275,9 +278,9 @@ * Get "login-retries" & "login-backoff" from default class */ lc = login_getclass(NULL); - prompt = login_getcapstr(lc, "prompt", DEFAULT_PROMPT, DEFAULT_PROMPT); + prompt = login_getcapstr(lc, "prompt", default_prompt, default_prompt); passwd_prompt = login_getcapstr(lc, "passwd_prompt", - DEFAULT_PASSWD_PROMPT, DEFAULT_PASSWD_PROMPT); + default_passwd_prompt, default_passwd_prompt); retries = login_getcapnum(lc, "login-retries", DEFAULT_RETRIES, DEFAULT_RETRIES); backoff = login_getcapnum(lc, "login-backoff", DEFAULT_BACKOFF, @@ -404,7 +407,7 @@ refused("Cannot find root directory", "ROOTDIR", 1); if (!quietlog || *pwd->pw_dir) printf("No home directory.\nLogging in with home = \"/\".\n"); - pwd->pw_dir = "/"; + pwd->pw_dir = strdup("/"); } (void)seteuid(euid); (void)setegid(egid); @@ -463,7 +466,7 @@ } shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell); if (*pwd->pw_shell == '\0') - pwd->pw_shell = _PATH_BSHELL; + pwd->pw_shell = strdup(_PATH_BSHELL); if (*shell == '\0') /* Not overridden */ shell = pwd->pw_shell; if ((shell = strdup(shell)) == NULL) { @@ -637,7 +640,7 @@ (void)setenv("PATH", rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0); if (!quietlog) { - char *cw; + const char *cw; cw = login_getcapstr(lc, "copyright", NULL, NULL); if (cw != NULL && access(cw, F_OK) == 0) @@ -676,7 +679,7 @@ /* * Login shells have a leading '-' in front of argv[0] */ - if (snprintf(tbuf, sizeof(tbuf), "-%s", + if ((size_t)snprintf(tbuf, sizeof(tbuf), "-%s", (p = strrchr(pwd->pw_shell, '/')) ? p + 1 : pwd->pw_shell) >= sizeof(tbuf)) { syslog(LOG_ERR, "user: %s: shell exceeds maximum pathname size", @@ -689,12 +692,12 @@ } static int -auth_traditional() +auth_traditional(void) { int rval; char *p; - char *ep; - char *salt; + const char *ep; + const char *salt; rval = 1; salt = pwd != NULL ? pwd->pw_passwd : "xx"; @@ -722,7 +725,7 @@ * fall back to a different authentication mechanism. */ static int -auth_pam() +auth_pam(void) { const char *tmpl_user; const void *item; @@ -813,7 +816,7 @@ } static int -export_pam_environment() +export_pam_environment(void) { char **pp; @@ -833,8 +836,7 @@ * Solaris pam_putenv(3) man page. */ static int -ok_to_export(s) - const char *s; +ok_to_export(const char *s) { static const char *noexport[] = { "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", @@ -856,7 +858,7 @@ } static void -usage() +usage(void) { (void)fprintf(stderr, "usage: login [-fp] [-h hostname] [username]\n"); @@ -870,7 +872,7 @@ #define NBUFSIZ UT_NAMESIZE + 64 void -getloginname() +getloginname(void) { int ch; char *p; @@ -900,8 +902,7 @@ } int -rootterm(ttyn) - char *ttyn; +rootterm(char *ttyn) { struct ttyent *t; @@ -911,15 +912,13 @@ volatile int motdinterrupt; void -sigint(signo) - int signo __unused; +sigint(int signo __unused) { motdinterrupt = 1; } void -motd(motdfile) - char *motdfile; +motd(const char *motdfile) { int fd, nchars; sig_t oldint; @@ -937,8 +936,7 @@ /* ARGSUSED */ void -timedout(signo) - int signo; +timedout(int signo) { longjmp(timeout_buf, signo); @@ -946,8 +944,7 @@ void -dolastlog(quiet) - int quiet; +dolastlog(int quiet) { struct lastlog ll; int fd; @@ -983,8 +980,7 @@ } void -badlogin(name) - char *name; +badlogin(char *name) { if (failures == 0) @@ -1008,9 +1004,8 @@ #undef UNKNOWN #define UNKNOWN "su" -char * -stypeof(ttyid) - char *ttyid; +const char * +stypeof(char *ttyid) { struct ttyent *t; @@ -1023,10 +1018,7 @@ } void -refused(msg, rtype, lout) - char *msg; - char *rtype; - int lout; +refused(const char *msg, const char *rtype, int lout) { if (msg != NULL) @@ -1042,8 +1034,7 @@ } void -sleepexit(eval) - int eval; +sleepexit(int eval) { (void)sleep(5); Index: login.h =================================================================== RCS file: login.h diff -N login.h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ login.h 30 Aug 2001 14:54:12 -0000 @@ -0,0 +1,37 @@ +/*- + * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +extern int login_access(char *r, char *); +extern void login_fbtab(char *tty, uid_t uid, gid_t gid); Index: login_access.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login_access.c,v retrieving revision 1.4 diff -u -d -r1.4 login_access.c --- login_access.c 28 Sep 1997 08:49:22 -0000 1.4 +++ login_access.c 30 Aug 2001 14:51:58 -0000 @@ -22,6 +22,7 @@ #include #include +#include "login.h" #include "pathnames.h" /* Delimiters for fields and for lists of users, ttys or hosts. */ @@ -34,17 +35,15 @@ #define YES 1 #define NO 0 -static int list_match(); -static int user_match(); -static int from_match(); -static int string_match(); +static int list_match(char *, char *, int (*)(char *, char *)); +static int user_match(char *, char *); +static int from_match(char *, char *); +static int string_match(char *, char *); /* login_access - match username/group and host/tty with access control file */ int -login_access(user, from) -char *user; -char *from; +login_access(char *user, char *from) { FILE *fp; char line[BUFSIZ]; @@ -103,10 +102,8 @@ /* list_match - match an item against a list of tokens with exceptions */ -static int list_match(list, item, match_fn) -char *list; -char *item; -int (*match_fn) (); +static int +list_match(char *list, char *item, int (*match_fn)(char *, char *)) { char *tok; int match = NO; @@ -137,28 +134,17 @@ /* netgroup_match - match group against machine or user */ -static int netgroup_match(group, machine, user) -gid_t group; -char *machine; -char *user; +static int +netgroup_match(char *group __unused, char *machine __unused, char *user __unused) { -#ifdef NIS - static char *mydomain = 0; - - if (mydomain == 0) - yp_get_default_domain(&mydomain); - return (innetgr(group, machine, user, mydomain)); -#else syslog(LOG_ERR, "NIS netgroup support not configured"); return 0; -#endif } /* user_match - match a username against one token */ -static int user_match(tok, string) -char *tok; -char *string; +static int +user_match(char *tok, char *string) { struct group *group; int i; @@ -183,9 +169,8 @@ /* from_match - match a host or tty against a list of tokens */ -static int from_match(tok, string) -char *tok; -char *string; +static int +from_match(char *tok, char *string) { int tok_len; int str_len; @@ -219,9 +204,8 @@ /* string_match - match a string against one token */ -static int string_match(tok, string) -char *tok; -char *string; +static int +string_match(char *tok, char *string) { /* Index: login_fbtab.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login_fbtab.c,v retrieving revision 1.9 diff -u -d -r1.9 login_fbtab.c --- login_fbtab.c 9 Dec 2000 09:35:41 -0000 1.9 +++ login_fbtab.c 30 Aug 2001 14:54:39 -0000 @@ -68,27 +68,25 @@ #include #include #include + +#include "login.h" #include "pathnames.h" -void login_protect __P((char *, char *, int, uid_t, gid_t)); -void login_fbtab __P((char *tty, uid_t uid, gid_t gid)); +static void login_protect(const char *, char *, int, uid_t, gid_t); #define WSPACE " \t\n" /* login_fbtab - apply protections specified in /etc/fbtab or logindevperm */ void -login_fbtab(tty, uid, gid) -char *tty; -uid_t uid; -gid_t gid; +login_fbtab(char *tty, uid_t uid, gid_t gid) { FILE *fp; char buf[BUFSIZ]; char *devname; char *cp; int prot; - char *table; + const char *table; if ((fp = fopen(table = _PATH_FBTAB, "r")) == 0 && (fp = fopen(table = _PATH_LOGINDEVPERM, "r")) == 0) @@ -121,12 +119,7 @@ /* login_protect - protect one device entry */ void -login_protect(table, path, mask, uid, gid) -char *table; -char *path; -int mask; -uid_t uid; -gid_t gid; +login_protect(const char *table, char *path, int mask, uid_t uid, gid_t gid) { char buf[BUFSIZ]; int pathlen = strlen(path); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Sep 5 3:32:46 2001 Delivered-To: freebsd-audit@freebsd.org Received: from anchor-post-33.mail.demon.net (anchor-post-33.mail.demon.net [194.217.242.91]) by hub.freebsd.org (Postfix) with ESMTP id CF05337B408; Wed, 5 Sep 2001 03:32:32 -0700 (PDT) Received: from [62.49.251.130] (helo=herring.nlsystems.com) by anchor-post-33.mail.demon.net with esmtp (Exim 2.12 #1) id 15eZyx-000BUT-0X; Wed, 5 Sep 2001 11:32:31 +0100 Received: from herring (herring [10.0.0.2]) by herring.nlsystems.com (8.11.2/8.11.2) with ESMTP id f85AVFc43597; Wed, 5 Sep 2001 11:31:15 +0100 (BST) (envelope-from dfr@nlsystems.com) Date: Wed, 5 Sep 2001 11:31:15 +0100 (BST) From: Doug Rabson To: Cc: Subject: Making printf work on ia64 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Since the ia64 architecture has significantly different means for passing arguments than most others, it has an implementation of stdarg.h which doesn't work with our printf. In particular, you cannot take a pointer to the values returned by va_arg(). To get things to work, I had to change printf to copy the arguments instead of pointing to them. I have extensively tested this on ia64 and i386 and can't think of any problems with it. Still, it would be nice to have a few other eyes look over it. The QUAD_MAX part is down to a limitation with my ia64 build environment and should be harmless. Index: vfprintf.c =================================================================== RCS file: /home/ncvs/src/lib/libc/stdio/vfprintf.c,v retrieving revision 1.29 diff -u -r1.29 vfprintf.c --- vfprintf.c 2001/08/20 12:53:34 1.29 +++ vfprintf.c 2001/08/22 09:46:27 @@ -67,14 +67,35 @@ #include "local.h" #include "fvwrite.h" +#ifndef QUAD_MAX +#define QUAD_MAX LONG_MAX +#endif + /* Define FLOATING_POINT to get floating point. */ #define FLOATING_POINT +union arg { + int intarg; + unsigned int uintarg; + long longarg; + unsigned long ulongarg; + quad_t quadarg; + u_quad_t uquadarg; + void *pvoidarg; + char *pchararg; + short *pshortarg; + int *pintarg; + long *plongarg; + quad_t *pquadarg; + double doublearg; + long double longdoublearg; +}; + static int __sprint __P((FILE *, struct __suio *)); static int __sbprintf __P((FILE *, const char *, va_list)) __printflike(2, 0); static char * __ultoa __P((u_long, char *, int, int, char *)); static char * __uqtoa __P((u_quad_t, char *, int, int, char *)); -static void __find_arguments __P((const char *, va_list, void ***)); +static void __find_arguments __P((const char *, va_list, union arg **)); static void __grow_type_table __P((int, unsigned char **, int *)); /* @@ -330,8 +351,8 @@ struct __siov iov[NIOV];/* ... and individual io vectors */ char buf[BUF]; /* space for %c, %[diouxX], %[eEfgG] */ char ox[2]; /* space for 0x hex-prefix */ - void **argtable; /* args, built due to positional arg */ - void *statargtable [STATIC_ARG_TBL_SIZE]; + union arg *argtable; /* args, built due to positional arg */ + union arg statargtable [STATIC_ARG_TBL_SIZE]; int nextarg; /* 1-based argument index */ va_list orgap; /* original argument pointer */ @@ -382,7 +403,7 @@ * argument (and arguments must be gotten sequentially). */ #define GETARG(type) \ - ((argtable != NULL) ? *((type*)(argtable[nextarg++])) : \ + ((argtable != NULL) ? *((type*)(&argtable[nextarg++])) : \ (nextarg++, va_arg(ap, type))) /* @@ -912,7 +933,7 @@ * It will be replaces with a malloc-ed one if it overflows. */ static void -__find_arguments (const char *fmt0, va_list ap, void ***argtable) +__find_arguments (const char *fmt0, va_list ap, union arg **argtable) { char *fmt; /* format string */ int ch; /* character from fmt */ @@ -1112,63 +1133,63 @@ * Build the argument table. */ if (tablemax >= STATIC_ARG_TBL_SIZE) { - *argtable = (void **) - malloc (sizeof (void *) * (tablemax + 1)); + *argtable = (union arg *) + malloc (sizeof (union arg) * (tablemax + 1)); } - (*argtable) [0] = NULL; + (*argtable) [0].intarg = 0; for (n = 1; n <= tablemax; n++) { switch (typetable [n]) { case T_UNUSED: - (*argtable) [n] = (void *) &va_arg (ap, int); + (*argtable) [n].intarg = va_arg (ap, int); break; case T_SHORT: - (*argtable) [n] = (void *) &va_arg (ap, int); + (*argtable) [n].intarg = va_arg (ap, int); break; case T_U_SHORT: - (*argtable) [n] = (void *) &va_arg (ap, int); + (*argtable) [n].intarg = va_arg (ap, int); break; case TP_SHORT: - (*argtable) [n] = (void *) &va_arg (ap, short *); + (*argtable) [n].pshortarg = va_arg (ap, short *); break; case T_INT: - (*argtable) [n] = (void *) &va_arg (ap, int); + (*argtable) [n].intarg = va_arg (ap, int); break; case T_U_INT: - (*argtable) [n] = (void *) &va_arg (ap, unsigned int); + (*argtable) [n].uintarg = va_arg (ap, unsigned int); break; case TP_INT: - (*argtable) [n] = (void *) &va_arg (ap, int *); + (*argtable) [n].pintarg = va_arg (ap, int *); break; case T_LONG: - (*argtable) [n] = (void *) &va_arg (ap, long); + (*argtable) [n].longarg = va_arg (ap, long); break; case T_U_LONG: - (*argtable) [n] = (void *) &va_arg (ap, unsigned long); + (*argtable) [n].ulongarg = va_arg (ap, unsigned long); break; case TP_LONG: - (*argtable) [n] = (void *) &va_arg (ap, long *); + (*argtable) [n].plongarg = va_arg (ap, long *); break; case T_QUAD: - (*argtable) [n] = (void *) &va_arg (ap, quad_t); + (*argtable) [n].quadarg = va_arg (ap, quad_t); break; case T_U_QUAD: - (*argtable) [n] = (void *) &va_arg (ap, u_quad_t); + (*argtable) [n].uquadarg = va_arg (ap, u_quad_t); break; case TP_QUAD: - (*argtable) [n] = (void *) &va_arg (ap, quad_t *); + (*argtable) [n].pquadarg = va_arg (ap, quad_t *); break; case T_DOUBLE: - (*argtable) [n] = (void *) &va_arg (ap, double); + (*argtable) [n].doublearg = va_arg (ap, double); break; case T_LONG_DOUBLE: - (*argtable) [n] = (void *) &va_arg (ap, long double); + (*argtable) [n].longdoublearg = va_arg (ap, long double); break; case TP_CHAR: - (*argtable) [n] = (void *) &va_arg (ap, char *); + (*argtable) [n].pchararg = va_arg (ap, char *); break; case TP_VOID: - (*argtable) [n] = (void *) &va_arg (ap, void *); + (*argtable) [n].pvoidarg = va_arg (ap, void *); break; } } -- Doug Rabson Mail: dfr@nlsystems.com Phone: +44 20 8348 6160 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Sep 5 5:14:23 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id 22C5E37B40D; Wed, 5 Sep 2001 05:14:19 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id WAA01853; Wed, 5 Sep 2001 22:14:14 +1000 Date: Wed, 5 Sep 2001 22:13:47 +1000 (EST) From: Bruce Evans X-X-Sender: To: "Brian F. Feldman" Cc: Warner Losh , Mike Barcroft , David Hill , Subject: Re: users.c PATCH - please review In-Reply-To: <200109032120.f83LKoS53035@green.bikeshed.org> Message-ID: <20010905220327.C23159-100000@alphplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 3 Sep 2001, Brian F. Feldman wrote: > Warner Losh wrote: > > In message <20010901125802.F85574@coffee.q9media.com> Mike Barcroft writes: > > : David Hill writes: > > : > I have patched users/users.c so that it will compile under WARNS?=2. I have both attached and cut/pasted it to the message. > > : > Please review it. > > : > > : > diff -ru /usr/src/usr.bin/users.orig/users.c /usr/src/usr.bin/users/users.c > > : > --- /usr/src/usr.bin/users.orig/users.c Fri Aug 27 21:07:14 1999 > > : > +++ /usr/src/usr.bin/users/users.c Fri Aug 31 15:58:20 2001 > > : > @@ -117,5 +117,8 @@ > > : > scmp(p, q) > > : > const void *p, *q; > > : > { > > : > - return(strncmp((char *)p, (char *)q, UT_NAMESIZE)); > > : > + const char *const pp1 = p; > > : > + const char *const pp2 = q; > > : > + > > : > + return(strncmp(pp1, pp2, UT_NAMESIZE)); > > : > } > > : > > : Why create new local variables? Just get rid of the bogus casts. > > > > Why not just > > return (strncmp((const char *)p, (const char *)q, UT_NAMESIZE)); > > > > Also, const char *const is wrong. No need for the second const. > > Technically, there's nothing wrong with declaring "a const pointer to a > const character", just casting to that would be very strange (and probably > illegal; not sure). In any case, I'm not sure I see the point of not just > using two (const char *) casts and not increasing the function size other > than adding a blank line and space for style(9). That should remove any > warning about casting away const qualification. Why not just get rid of the casts like Mike suggested? They have no effect in ISO C. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Sep 5 5:19:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from kawoserv.kawo2.rwth-aachen.de (kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by hub.freebsd.org (Postfix) with ESMTP id 3BADA37B40D; Wed, 5 Sep 2001 05:19:49 -0700 (PDT) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id OAA12624; Wed, 5 Sep 2001 14:19:48 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f85CJpn05692; Wed, 5 Sep 2001 14:19:51 +0200 (CEST) (envelope-from alex) Date: Wed, 5 Sep 2001 14:19:51 +0200 From: Alexander Langer To: Doug Rabson Cc: audit@FreeBSD.ORG, ia64@FreeBSD.ORG Subject: Re: Making printf work on ia64 Message-ID: <20010905141951.C5586@fump.kawo2.rwth-aachen.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dfr@nlsystems.com on Wed, Sep 05, 2001 at 11:31:15AM +0100 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thus spake Doug Rabson (dfr@nlsystems.com): > I have extensively tested this on ia64 and i386 and can't think of any > problems with it. Still, it would be nice to have a few other eyes look Performance differences? Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Sep 5 5:31: 4 2001 Delivered-To: freebsd-audit@freebsd.org Received: from tele-post-20.mail.demon.net (tele-post-20.mail.demon.net [194.217.242.20]) by hub.freebsd.org (Postfix) with ESMTP id B608237B405; Wed, 5 Sep 2001 05:30:59 -0700 (PDT) Received: from [62.49.251.130] (helo=herring.nlsystems.com) by tele-post-20.mail.demon.net with esmtp (Exim 2.12 #2) id 15ebpZ-000IfH-0K; Wed, 5 Sep 2001 12:30:57 +0000 Received: from herring (herring [10.0.0.2]) by herring.nlsystems.com (8.11.2/8.11.2) with ESMTP id f85CTec43977; Wed, 5 Sep 2001 13:29:40 +0100 (BST) (envelope-from dfr@nlsystems.com) Date: Wed, 5 Sep 2001 13:29:40 +0100 (BST) From: Doug Rabson To: Alexander Langer Cc: , Subject: Re: Making printf work on ia64 In-Reply-To: <20010905141951.C5586@fump.kawo2.rwth-aachen.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 5 Sep 2001, Alexander Langer wrote: > Thus spake Doug Rabson (dfr@nlsystems.com): > > > I have extensively tested this on ia64 and i386 and can't think of any > > problems with it. Still, it would be nice to have a few other eyes look > > Performance differences? I haven't tried to measure any. I doubt that it performs any differently from the existing implementation. It might even be very slightly faster since it reads the argument exactly once and avoids the double-indirection of the existing code. -- Doug Rabson Mail: dfr@nlsystems.com Phone: +44 20 8348 6160 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Sep 5 8:32:16 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 247D537B406; Wed, 5 Sep 2001 08:31:43 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f85FVd781473; Wed, 5 Sep 2001 18:31:39 +0300 (EEST) (envelope-from ru) Date: Wed, 5 Sep 2001 18:31:39 +0300 From: Ruslan Ermilov To: Warner Losh , Bruce Evans , Kris Kennaway , Mark Murray Cc: audit@FreeBSD.org Subject: Re: wall -g is broken Message-ID: <20010905183139.W96906@sunbay.com> References: <20010903192449.B29616@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010903192449.B29616@sunbay.com>; from ru@FreeBSD.org on Mon, Sep 03, 2001 at 07:24:49PM +0300 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This patch has been committed. On Mon, Sep 03, 2001 at 07:24:49PM +0300, Ruslan Ermilov wrote: > Hi! > > As the subject line says, ``wall -g'' appears to be broken. > > I feel somewhat confused, as the original list of reviewers > looks quite amazing: imp, bde, kris, markm, audit@. > > The use of the getgroups(3) function is unproven since: > > 1) Its first argument should specify the array size, and > is of type `int', not `gid_t'. > > 2) The code gives false matches and does not produce the > required matches. Instead of checking the membership > of each line's owner in the -g list of groups, the > code gives a match if at least one of the -g groups > matches those of the process's groups, as returned > by getgroups(). Thus, > > wall -g `id -gn` > > will match the entire ttys(5). > > The attached patch fixes this. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Sep 5 8:44:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id C67F037B40B; Wed, 5 Sep 2001 08:44:02 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f85Fhxs83604; Wed, 5 Sep 2001 18:43:59 +0300 (EEST) (envelope-from ru) Date: Wed, 5 Sep 2001 18:43:59 +0300 From: Ruslan Ermilov To: security@FreeBSD.org Cc: audit@FreeBSD.org Subject: Re: dropping ``setgid tty'' in dump(8) Message-ID: <20010905184359.X96906@sunbay.com> References: <20010903201909.C29616@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010903201909.C29616@sunbay.com>; from ru@FreeBSD.org on Mon, Sep 03, 2001 at 08:19:09PM +0300 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This and that patches have been committed. On Mon, Sep 03, 2001 at 08:19:09PM +0300, Ruslan Ermilov wrote: > Hi! > > The attached patch replaces the ``wall -g'' functionality built > into dump(8) directly with the call to wall(1), thus making it > possible to drop the ``setgid tty'' privilege. > > The DIALUP check was weak, and was also removed. > > The patch is based on the OpenBSD's work. > > > I've posted another message to the -audit that makes ``wall -g'' > really work. > -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 1:15:17 2001 Delivered-To: freebsd-audit@freebsd.org Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by hub.freebsd.org (Postfix) with ESMTP id E083137B408; Thu, 6 Sep 2001 01:15:12 -0700 (PDT) Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id SAA10883; Thu, 6 Sep 2001 18:14:47 +1000 Date: Thu, 6 Sep 2001 18:14:15 +1000 (EST) From: Bruce Evans X-X-Sender: To: Alexander Langer Cc: Doug Rabson , , Subject: Re: Making printf work on ia64 In-Reply-To: <20010905141951.C5586@fump.kawo2.rwth-aachen.de> Message-ID: <20010906181036.Y29648-100000@alphplex.bde.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 5 Sep 2001, Alexander Langer wrote: > Thus spake Doug Rabson (dfr@nlsystems.com): > > > I have extensively tested this on ia64 and i386 and can't think of any > > problems with it. Still, it would be nice to have a few other eyes look > > Performance differences? Presumably null, since the changes are only for the nonstandard %$ feature which no one uses. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 3:24:23 2001 Delivered-To: freebsd-audit@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 9476F37B403 for ; Thu, 6 Sep 2001 03:24:16 -0700 (PDT) Received: (qmail 7011 invoked by uid 1000); 6 Sep 2001 10:23:55 -0000 Date: Thu, 6 Sep 2001 13:23:55 +0300 From: Peter Pentchev To: markm@FreeBSD.org Cc: re@FreeBSD.org, audit@FreeBSD.org Subject: Re: bin/30357: core dump in libpam.so when parsing config file Message-ID: <20010906132355.C1477@ringworld.oblivion.bg> Mail-Followup-To: markm@FreeBSD.org, re@FreeBSD.org, audit@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I can reproduce the problem, and the (trivial-looking) patch really fixes it. Would there be much harm in taking pam_misc.c off the vendor branch and fixing (*and* MFC'ing) this before 4.4 goes out? A PAM-related coredump does look kind of important to me.. G'luck, Peter -- This sentence every third, but it still comprehensible. ----- Forwarded message from Edward Counce ----- Date: Wed, 5 Sep 2001 14:33:43 -0700 (PDT) From: Edward Counce To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: bin/30357: core dump in libpam.so when parsing config file List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: >Number: 30357 >Category: bin >Synopsis: core dump in libpam.so when parsing config file >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 05 14:40:02 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Edward Counce >Release: 4.3-RELEASE >Organization: Celion Networks, Inc. >Environment: FreeBSD ecounce 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sat Apr 21 10:54:49 GMT 2001 jkh@narf.osd.bsdi.com:/usr/src/sys/compile/GENERIC i386 >Description: While parsing the configuration file, numeric (jump) actions in the newer control flag syntax may cause a core dump. >How-To-Repeat: add to /etc/pam.conf: sshd auth [success=1 default=ignore] pam_tacplus.so >Fix: Index: pam_misc.c =================================================================== RCS file: /home/ncvs/src/contrib/libpam/libpam/pam_misc.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 pam_misc.c --- pam_misc.c 18 Nov 1998 01:16:19 -0000 1.1.1.1 +++ pam_misc.c 5 Sep 2001 21:16:36 -0000 @@ -278,7 +278,7 @@ } /* observe action type */ - for (act=0; act<=-_PAM_ACTION_UNDEF; ++act) { + for (act=0; act<-_PAM_ACTION_UNDEF; ++act) { len = strlen(_pam_token_actions[act]); if (!strncmp(_pam_token_actions[act], tok, len)) { act *= -1; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 4:57:57 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id C880D37B403 for ; Thu, 6 Sep 2001 04:57:50 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15exor-000G1W-00 for audit@FreeBSD.org; Thu, 06 Sep 2001 13:59:41 +0200 From: Sheldon Hearn To: audit@FreeBSD.org Subject: mixing -l and -p in split(1) Date: Thu, 06 Sep 2001 13:59:41 +0200 Message-ID: <61597.999777581@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi folks, I recently ran into a problem that would have been solved perfectly by split(1) if said utility allowed the -l and -p options to be used in conjunction. The specific problem was the need to split a 4GB SMTP transcript into 4 files of approximately 1GB in size, to be passed as input into SMTP socket connections. The following patch allows -l and -p to be used together to mean Split the input into chunks of no fewer than line_count lines per chunk, but ensure that each chunk begins with a line that matches pattern. If pattern does not appear regularly in the input, chunks may be considerably larger than line_count lines. Obviously, it's pretty easy to shot yourself up the ass with this one, but if you know what you're doing, it's invaluable. Ciao, Sheldon. Index: split.c =================================================================== RCS file: /home/ncvs/src/usr.bin/split/split.c,v retrieving revision 1.7 diff -u -d -r1.7 split.c --- split.c 19 Nov 2000 01:44:20 -0000 1.7 +++ split.c 6 Sep 2001 11:18:02 -0000 @@ -147,7 +147,7 @@ if (*argv != NULL) usage(); - if (pflag && (numlines != 0 || bytecnt != 0)) + if (pflag && bytecnt != 0) usage(); if (numlines == 0) @@ -238,14 +238,17 @@ goto writeit; /* Check if we need to start a new file */ - if (pflag) { + lcnt++; + if (pflag && lcnt >= numlines) { regmatch_t pmatch; pmatch.rm_so = 0; pmatch.rm_eo = len - 1; - if (regexec(&rgx, bfr, 0, &pmatch, REG_STARTEND) == 0) + if (regexec(&rgx, bfr, 0, &pmatch, REG_STARTEND) == 0) { newfile(); - } else if (lcnt++ == numlines) { + lcnt = 1; + } + } else if (!pflag && lcnt == numlines) { newfile(); lcnt = 1; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 5:17: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 5D54D37B407; Thu, 6 Sep 2001 05:16:44 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f86CGCY23044; Thu, 6 Sep 2001 15:16:12 +0300 (EEST) (envelope-from ru) Date: Thu, 6 Sep 2001 15:16:12 +0300 From: Ruslan Ermilov To: Peter Pentchev Cc: markm@FreeBSD.org, re@FreeBSD.org, audit@FreeBSD.org Subject: Re: bin/30357: core dump in libpam.so when parsing config file Message-ID: <20010906151612.C18362@sunbay.com> References: <20010906132355.C1477@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906132355.C1477@ringworld.oblivion.bg>; from roam@ringlet.net on Thu, Sep 06, 2001 at 01:23:55PM +0300 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Sep 06, 2001 at 01:23:55PM +0300, Peter Pentchev wrote: > Hi, > > I can reproduce the problem, and the (trivial-looking) patch really > fixes it. Would there be much harm in taking pam_misc.c off the vendor > branch and fixing (*and* MFC'ing) this before 4.4 goes out? > A PAM-related coredump does look kind of important to me.. > RELENG_4 is already off the vendor branch. :-) CVSROOT/ scripts have a feature of not requiring the $FreeBSD$ thing for RELENG_* branches if the HEAD is on the vendor branch. That is, if urgent, the bug can be fixed on RELENG_4 branch, then patch can be submitted to vendor, then the next vendor import (or commit to vendor branch) will align this with RELENG_4. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 10:17:11 2001 Delivered-To: freebsd-audit@freebsd.org Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4]) by hub.freebsd.org (Postfix) with ESMTP id 07E0E37B405; Thu, 6 Sep 2001 10:16:54 -0700 (PDT) Received: (from uucp@localhost) by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f86HGcI78384; Thu, 6 Sep 2001 19:16:38 +0200 (SAST) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.11.6/8.11.4) with ESMTP id f86FsS204571; Thu, 6 Sep 2001 16:54:28 +0100 (BST) (envelope-from mark@grondar.za) Message-Id: <200109061554.f86FsS204571@grimreaper.grondar.za> To: Peter Pentchev Cc: markm@FreeBSD.org, re@FreeBSD.org, audit@FreeBSD.org Subject: Re: bin/30357: core dump in libpam.so when parsing config file References: <20010906132355.C1477@ringworld.oblivion.bg> In-Reply-To: <20010906132355.C1477@ringworld.oblivion.bg> ; from Peter Pentchev "Thu, 06 Sep 2001 13:23:55 +0300." Date: Thu, 06 Sep 2001 16:54:28 +0100 From: Mark Murray Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Already fixed in the (later) CURRENT sources. Please feel free to MFC this if the RE folks agree. (Not the whole file, just this patch. NOTE - its in a different place). M > Hi, > > I can reproduce the problem, and the (trivial-looking) patch really > fixes it. Would there be much harm in taking pam_misc.c off the vendor > branch and fixing (*and* MFC'ing) this before 4.4 goes out? > A PAM-related coredump does look kind of important to me.. > > G'luck, > Peter > > -- > This sentence every third, but it still comprehensible. > > ----- Forwarded message from Edward Counce ----- > > Date: Wed, 5 Sep 2001 14:33:43 -0700 (PDT) > From: Edward Counce > To: freebsd-gnats-submit@FreeBSD.org > X-Send-Pr-Version: www-1.0 > Subject: bin/30357: core dump in libpam.so when parsing config file > List-ID: > List-Archive: (Web Archive) > List-Help: (List Instructions) > List-Subscribe: > List-Unsubscribe: > > > >Number: 30357 > >Category: bin > >Synopsis: core dump in libpam.so when parsing config file > >Confidential: no > >Severity: serious > >Priority: low > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Wed Sep 05 14:40:02 PDT 2001 > >Closed-Date: > >Last-Modified: > >Originator: Edward Counce > >Release: 4.3-RELEASE > >Organization: > Celion Networks, Inc. > >Environment: > FreeBSD ecounce 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sat Apr 21 10:54:49 GMT 2001 jkh@narf.osd.bsdi.com:/usr/src/sys/compile/GENERIC i386 > >Description: > While parsing the configuration file, numeric (jump) actions in the newer control flag syntax may cause a core dump. > > >How-To-Repeat: > add to /etc/pam.conf: > > sshd auth [success=1 default=ignore] pam_tacplus.so > > >Fix: > Index: pam_misc.c > =================================================================== > RCS file: /home/ncvs/src/contrib/libpam/libpam/pam_misc.c,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 pam_misc.c > --- pam_misc.c 18 Nov 1998 01:16:19 -0000 1.1.1.1 > +++ pam_misc.c 5 Sep 2001 21:16:36 -0000 > @@ -278,7 +278,7 @@ > } > > /* observe action type */ > - for (act=0; act<=-_PAM_ACTION_UNDEF; ++act) { > + for (act=0; act<-_PAM_ACTION_UNDEF; ++act) { > len = strlen(_pam_token_actions[act]); > if (!strncmp(_pam_token_actions[act], tok, len)) { > act *= -1; > >Release-Note: > >Audit-Trail: > >Unformatted: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-bugs" in the body of the message > > > ----- End forwarded message ----- -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 10:51:39 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 1FA3837B405 for ; Thu, 6 Sep 2001 10:51:31 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f86Hp8c72534; Thu, 6 Sep 2001 20:51:08 +0300 (EEST) (envelope-from ru) Date: Thu, 6 Sep 2001 20:51:08 +0300 From: Ruslan Ermilov To: Sheldon Hearn Cc: audit@FreeBSD.ORG Subject: Re: mixing -l and -p in split(1) Message-ID: <20010906205108.A72023@sunbay.com> References: <61597.999777581@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <61597.999777581@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Thu, Sep 06, 2001 at 01:59:41PM +0200 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Sep 06, 2001 at 01:59:41PM +0200, Sheldon Hearn wrote: > > Hi folks, > > I recently ran into a problem that would have been solved perfectly by > split(1) if said utility allowed the -l and -p options to be used in > conjunction. > > The specific problem was the need to split a 4GB SMTP transcript into > 4 files of approximately 1GB in size, to be passed as input into SMTP > socket connections. > Hmm, can't this be done by running -p first and then -l on the chunks? Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 11: 2:53 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 6187937B403; Thu, 6 Sep 2001 11:02:49 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 15f3W4-000IOV-00; Thu, 06 Sep 2001 20:04:40 +0200 From: Sheldon Hearn To: Ruslan Ermilov Cc: audit@FreeBSD.ORG Subject: Re: mixing -l and -p in split(1) In-reply-to: Your message of "Thu, 06 Sep 2001 20:51:08 +0300." <20010906205108.A72023@sunbay.com> Date: Thu, 06 Sep 2001 20:04:40 +0200 Message-ID: <70710.999799480@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 06 Sep 2001 20:51:08 +0300, Ruslan Ermilov wrote: > > The specific problem was the need to split a 4GB SMTP transcript into > > 4 files of approximately 1GB in size, to be passed as input into SMTP > > socket connections. > > > Hmm, can't this be done by running -p first and then -l on the chunks? I don't think so, no. The point is that the input is a dialogue, made up of regular "paragraphs", e.g. HELO localhost MAIL FROM:foo@bar.com RCPT TO:baz@bat.com DATA [...] . NOOP HELO localhost [...] This _can_ be done with a perl script, of course, but... While I'm not a fan of feature-creep, I don't understand the need to impose this artificial limitation on the functionality available. The patch feels like it "unlocks" something. If it's just a safety catch, I say we document the danger involved (getting larger chunks than anticipated) and allow it. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Thu Sep 6 20: 1: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by hub.freebsd.org (Postfix) with ESMTP id 87F6E37B406 for ; Thu, 6 Sep 2001 20:00:55 -0700 (PDT) Received: from zidane.cc.vt.edu (IDENT:mirapoint@zidane.cc.vt.edu [198.82.161.184]) by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id f8730sw35108 for ; Thu, 6 Sep 2001 23:00:54 -0400 (EDT) Received: from mail.vt.edu (gkar.cc.vt.edu [198.82.161.190]) by zidane.cc.vt.edu (Mirapoint) with ESMTP id ACF57112; Thu, 6 Sep 2001 23:00:41 -0400 (EDT) Received: from enterprise.muriel.penguinpowered.com ([198.82.100.125]) by gkar.cc.vt.edu (Sun Internet Mail Server sims.3.5.2001.05.04.11.50.p10) with ESMTP id <0GJ90080ONUQQQ@gkar.cc.vt.edu> for FreeBSD-audit@freebsd.org; Thu, 6 Sep 2001 20:25:38 -0400 (EDT) Date: Thu, 06 Sep 2001 20:23:21 -0400 (EDT) From: Mike Heffner Subject: ftpd proctitle reporting To: FreeBSD-audit Message-id: MIME-version: 1.0 X-Mailer: XFMail 1.5.0 on FreeBSD Content-type: multipart/signed; boundary="_=XFMail.1.5.0.FreeBSD:20010906202321:8001=_"; micalg=pgp-md5; protocol="application/pgp-signature" X-Priority: 3 (Normal) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format --_=XFMail.1.5.0.FreeBSD:20010906202321:8001=_ Content-Type: text/plain; charset=us-ascii Anyone see anything wrong with the following patch? It's something I found while looking over the lukemftpd sources but appears to be in the base sources anyways. The field width doesn't appear to be doing much more than what using snprintf() achieves. It's also incorrect for the VIRTUAL_HOSTING case, so I've decided just to axe it. Index: ftpd.c =================================================================== RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v retrieving revision 1.82 diff -u -r1.82 ftpd.c --- ftpd.c 2001/09/02 17:24:19 1.82 +++ ftpd.c 2001/09/07 00:19:01 @@ -1397,15 +1397,12 @@ #ifdef VIRTUAL_HOSTING if (thishost != firsthost) snprintf(proctitle, sizeof(proctitle), - "%s: anonymous(%s)/%.*s", remotehost, hostname, - (int)(sizeof(proctitle) - sizeof(remotehost) - - sizeof(": anonymous/")), passwd); + "%s: anonymous(%s)/%s", remotehost, hostname, + passwd); else #endif snprintf(proctitle, sizeof(proctitle), - "%s: anonymous/%.*s", remotehost, - (int)(sizeof(proctitle) - sizeof(remotehost) - - sizeof(": anonymous/")), passwd); + "%s: anonymous/%s", remotehost, passwd); setproctitle("%s", proctitle); #endif /* SETPROCTITLE */ if (logging) Mike -- Mike Heffner Blacksburg, VA --_=XFMail.1.5.0.FreeBSD:20010906202321:8001=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mBN4FokZQs3sv5kRAhL0AJ9+Qd0lM6ctxlXLLKaILVm79Yg5UQCgjBfD 1ySzQVOGrIpOXUSGghPBf+s= =0axa -----END PGP SIGNATURE----- --_=XFMail.1.5.0.FreeBSD:20010906202321:8001=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 17:43:19 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id E2BEB37B406; Sat, 8 Sep 2001 17:43:04 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7200C66D0A; Sat, 8 Sep 2001 17:43:04 -0700 (PDT) Date: Sat, 8 Sep 2001 17:43:04 -0700 From: Kris Kennaway To: Kris Kennaway Cc: Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.org Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908174304.A88816@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908170257.A82082@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 05:02:57PM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > Looks like setting the schg flag is the only feasible containment > solution for now. Here's a proposed fix. It just disallows anyone other than root from specifying an alternate configuration file, for the setuid utilities (which was the cause of the vulnerability here, AFAIK). Kris Index: uucico/uucico.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uucico/uucico.c,v retrieving revision 1.9 diff -u -b -r1.9 uucico.c --- uucico/uucico.c 1999/08/27 23:33:51 1.9 +++ uucico/uucico.c 2001/09/09 00:32:03 @@ -376,6 +376,11 @@ case 'I': /* Set configuration file name (default is in sysdep.h). */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uucp/uucp.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uucp/uucp.c,v retrieving revision 1.7 diff -u -b -r1.7 uucp.c --- uucp/uucp.c 1999/08/27 23:33:56 1.7 +++ uucp/uucp.c 2001/09/09 00:32:01 @@ -198,6 +198,11 @@ case 'I': /* Name configuration file. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uuname/uuname.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uuname/uuname.c,v retrieving revision 1.6 diff -u -b -r1.6 uuname.c --- uuname/uuname.c 1999/08/27 23:33:59 1.6 +++ uuname/uuname.c 2001/09/09 00:27:52 @@ -86,6 +86,11 @@ case 'I': /* Configuration file name. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uustat/uustat.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uustat/uustat.c,v retrieving revision 1.7 diff -u -b -r1.7 uustat.c --- uustat/uustat.c 1999/08/27 23:34:03 1.7 +++ uustat/uustat.c 2001/09/09 00:34:26 @@ -279,6 +279,11 @@ case 'I': /* Set configuration file name. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; Index: uux/uux.c =================================================================== RCS file: /mnt/ncvs/src/gnu/libexec/uucp/uux/uux.c,v retrieving revision 1.11 diff -u -b -r1.11 uux.c --- uux/uux.c 1999/08/27 23:34:06 1.11 +++ uux/uux.c 2001/09/09 00:25:35 @@ -235,6 +235,11 @@ case 'I': /* Configuration file name. */ + if (getuid() != 0) + { + fprintf (stderr, "%s: config file can only be specified by root\n", zProgram); + exit (EXIT_FAILURE); + } if (fsysdep_other_config (optarg)) zconfig = optarg; break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 17:44:45 2001 Delivered-To: freebsd-audit@freebsd.org Received: from coffee.q9media.com (coffee.q9media.com [216.94.229.19]) by hub.freebsd.org (Postfix) with ESMTP id 5C96437B40C for ; Sat, 8 Sep 2001 17:44:43 -0700 (PDT) Received: (from mike@localhost) by coffee.q9media.com (8.11.2/8.11.3) id f890lTs15795; Sat, 8 Sep 2001 20:47:29 -0400 (EDT) (envelope-from mike) Date: Sat, 8 Sep 2001 20:47:29 -0400 From: Mike Barcroft To: David Hill Cc: audit@FreeBSD.ORG Subject: Re: users.c PATCH - please review Message-ID: <20010908204729.A15754@coffee.q9media.com> Mail-Followup-To: Mike Barcroft , David Hill , audit@FreeBSD.ORG References: <20010831160414.7125e88e.david@phobia.ms> <20010901125802.F85574@coffee.q9media.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010901125802.F85574@coffee.q9media.com>; from mike@FreeBSD.ORG on Sat, Sep 01, 2001 at 12:58:02PM -0400 Organization: The FreeBSD Project Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Mike Barcroft writes: > David Hill writes: > > I have patched users/users.c so that it will compile under WARNS?=2. I have both attached and cut/pasted it to the message. > > Please review it. > > > diff -ru /usr/src/usr.bin/users.orig/users.c /usr/src/usr.bin/users/users.c > > --- /usr/src/usr.bin/users.orig/users.c Fri Aug 27 21:07:14 1999 > > +++ /usr/src/usr.bin/users/users.c Fri Aug 31 15:58:20 2001 > > @@ -117,5 +117,8 @@ > > scmp(p, q) > > const void *p, *q; > > { > > - return(strncmp((char *)p, (char *)q, UT_NAMESIZE)); > > + const char *const pp1 = p; > > + const char *const pp2 = q; > > + > > + return(strncmp(pp1, pp2, UT_NAMESIZE)); > > } > > Why create new local variables? Just get rid of the bogus casts. Committed (with casts removed instead of the new variables), thanks! Best regards, Mike Barcroft To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 17:52:55 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id D1C5437B40B; Sat, 8 Sep 2001 17:52:49 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f890qTC33725; Sun, 9 Sep 2001 04:52:29 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 04:52:27 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909045226.A33654@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010908174304.A88816@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Sep 08, 2001 at 17:43:04 -0700, Kris Kennaway wrote: > On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > > > Looks like setting the schg flag is the only feasible containment > > solution for now. > > Here's a proposed fix. It just disallows anyone other than root from > specifying an alternate configuration file, for the setuid utilities > (which was the cause of the vulnerability here, AFAIK). What you try to fix this way? It brokes normal users dialing to theirs systems, they always specify their own files. Consider uu* as user level utilities. The only point of restriction is restrict their access to dialing devices, not to utulities. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 18: 8:58 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0F7D837B409; Sat, 8 Sep 2001 18:08:49 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 5D4C366D0A; Sat, 8 Sep 2001 18:08:48 -0700 (PDT) Date: Sat, 8 Sep 2001 18:08:48 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909045226.A33654@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 04:52:27AM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 04:52:27AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 17:43:04 -0700, Kris Kennaway wrote: > > On Sat, Sep 08, 2001 at 05:02:57PM -0700, Kris Kennaway wrote: > >=20 > > > Looks like setting the schg flag is the only feasible containment > > > solution for now. > >=20 > > Here's a proposed fix. It just disallows anyone other than root from > > specifying an alternate configuration file, for the setuid utilities > > (which was the cause of the vulnerability here, AFAIK). >=20 > What you try to fix this way? It brokes normal users dialing to theirs > systems, they always specify their own files. Consider uu* as user level > utilities. The only point of restriction is restrict their access to > dialing devices, not to utulities. The vulnerability involves uucp being made to run arbitrary commands as the uucp user through specifying a custom configuration file - see bugtraq. There may be other problems resulting from user-specified configuration files. I don't have time to go through the code and fix up the revocation of privileges right now..in the meantime, this prevents the root exploit where a user replaces a uucp-owned binary like uustat, which is called daily by /etc/periodic. Kris --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7msEfWry0BWjoQKURAsqNAJ9in4houn79ZDPgchdBuFdR/NzTNQCfcU/A YUiKjRdCEl0osBNUB6doQ5Y= =8BHV -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 18:21:46 2001 Delivered-To: freebsd-audit@freebsd.org Received: from xerxes.courtesan.com (millert-gw.cs.colorado.edu [128.138.198.97]) by hub.freebsd.org (Postfix) with ESMTP id 9F9DA37B401; Sat, 8 Sep 2001 18:21:41 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.11.6/8.11.4) with ESMTP id f891KvM14677; Sat, 8 Sep 2001 19:20:57 -0600 (MDT) Message-Id: <200109090120.f891KvM14677@xerxes.courtesan.com> To: Kris Kennaway Cc: "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-reply-to: Your message of "Sat, 08 Sep 2001 18:08:48 PDT." <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> Date: Sat, 08 Sep 2001 19:20:56 -0600 From: "Todd C. Miller" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20010908180848.A94567@xor.obsecurity.org> so spake Kris Kennaway (kris): > The vulnerability involves uucp being made to run arbitrary commands > as the uucp user through specifying a custom configuration file - see > bugtraq. There may be other problems resulting from user-specified > configuration files. I don't have time to go through the code and fix > up the revocation of privileges right now..in the meantime, this > prevents the root exploit where a user replaces a uucp-owned binary > like uustat, which is called daily by /etc/periodic. Is there really any reason to run uustat as root? Why not just run it as user uucp via su? For that matter, running non-root owned executables from daily seems like a really bad idea. - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 18:46:45 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 0CE8C37B407; Sat, 8 Sep 2001 18:46:36 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f891j0o34410; Sun, 9 Sep 2001 05:45:01 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 05:44:58 +0400 From: "Andrey A. Chernov" To: "Todd C. Miller" Cc: Kris Kennaway , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909054457.A34319@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200109090120.f891KvM14677@xerxes.courtesan.com> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Sep 08, 2001 at 19:20:56 -0600, Todd C. Miller wrote: > In message <20010908180848.A94567@xor.obsecurity.org> > so spake Kris Kennaway (kris): > > > The vulnerability involves uucp being made to run arbitrary commands > > as the uucp user through specifying a custom configuration file - see > > bugtraq. There may be other problems resulting from user-specified > > configuration files. I don't have time to go through the code and fix > > up the revocation of privileges right now..in the meantime, this > > prevents the root exploit where a user replaces a uucp-owned binary > > like uustat, which is called daily by /etc/periodic. > > Is there really any reason to run uustat as root? Why not just run > it as user uucp via su? For that matter, running non-root owned > executables from daily seems like a really bad idea. I agree. There is no needs to deal with privileges revocation at all if "uucp" user itself is well restricted, just protect system "uucp" owned binaries from owerwritting by "uucp" user using schg flag. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 18:53:45 2001 Delivered-To: freebsd-audit@freebsd.org Received: from xerxes.courtesan.com (millert-gw.cs.colorado.edu [128.138.198.97]) by hub.freebsd.org (Postfix) with ESMTP id 29D4937B40D; Sat, 8 Sep 2001 18:53:40 -0700 (PDT) Received: from xerxes.courtesan.com (millert@localhost) by xerxes.courtesan.com (8.11.6/8.11.4) with ESMTP id f891r4p01038; Sat, 8 Sep 2001 19:53:04 -0600 (MDT) Message-Id: <200109090153.f891r4p01038@xerxes.courtesan.com> To: Kris Kennaway Cc: "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-reply-to: Your message of "Sat, 08 Sep 2001 18:08:48 PDT." <20010908180848.A94567@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> Date: Sat, 08 Sep 2001 19:53:03 -0600 From: "Todd C. Miller" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20010908180848.A94567@xor.obsecurity.org> so spake Kris Kennaway (kris): > The vulnerability involves uucp being made to run arbitrary commands > as the uucp user through specifying a custom configuration file - see > bugtraq. There may be other problems resulting from user-specified > configuration files. I don't have time to go through the code and fix > up the revocation of privileges right now..in the meantime, this > prevents the root exploit where a user replaces a uucp-owned binary > like uustat, which is called daily by /etc/periodic. It's not clear how you would fix revocation of privileges on this since, correctly if I'm wrong, when uucp is run via uux both real and effective uids are set to uucp. As such it is not immediately obvious to me how to really make uucp safe while still allowing user configs but I'm not a UUCP guy :-) - todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 18:54:26 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id B105C37B405; Sat, 8 Sep 2001 18:54:16 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C3D5866D0A; Sat, 8 Sep 2001 18:54:15 -0700 (PDT) Date: Sat, 8 Sep 2001 18:54:15 -0700 From: Kris Kennaway To: "Todd C. Miller" Cc: Kris Kennaway , "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908185415.A5619@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109090120.f891KvM14677@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Sat, Sep 08, 2001 at 07:20:56PM -0600 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 07:20:56PM -0600, Todd C. Miller wrote: > In message <20010908180848.A94567@xor.obsecurity.org> > so spake Kris Kennaway (kris): >=20 > > The vulnerability involves uucp being made to run arbitrary commands > > as the uucp user through specifying a custom configuration file - see > > bugtraq. There may be other problems resulting from user-specified > > configuration files. I don't have time to go through the code and fix > > up the revocation of privileges right now..in the meantime, this > > prevents the root exploit where a user replaces a uucp-owned binary > > like uustat, which is called daily by /etc/periodic. >=20 > Is there really any reason to run uustat as root? Why not just run > it as user uucp via su? For that matter, running non-root owned > executables from daily seems like a really bad idea. Yeah, thats probably a good change to make. However the uucp vulnerability still lets e.g. arbitrary users read/modify uucp spool data, create files, access the uucp:dialer devices, etc. Kris --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7msvHWry0BWjoQKURAgOsAKDUaW67EnSmSBPj/wNhDf1GTr3YJgCfUhp2 l39v0hcNcqdhOFtbvN3UZnE= =m8Gv -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 18:56: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id CB9C737B407; Sat, 8 Sep 2001 18:56:02 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3F8D166E93; Sat, 8 Sep 2001 18:56:02 -0700 (PDT) Date: Sat, 8 Sep 2001 18:56:02 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: "Todd C. Miller" , Kris Kennaway , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908185602.B5619@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909054457.A34319@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 05:44:58AM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 05:44:58AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 19:20:56 -0600, Todd C. Miller wrote: > > In message <20010908180848.A94567@xor.obsecurity.org> > > so spake Kris Kennaway (kris): > >=20 > > > The vulnerability involves uucp being made to run arbitrary commands > > > as the uucp user through specifying a custom configuration file - see > > > bugtraq. There may be other problems resulting from user-specified > > > configuration files. I don't have time to go through the code and fix > > > up the revocation of privileges right now..in the meantime, this > > > prevents the root exploit where a user replaces a uucp-owned binary > > > like uustat, which is called daily by /etc/periodic. > >=20 > > Is there really any reason to run uustat as root? Why not just run > > it as user uucp via su? For that matter, running non-root owned > > executables from daily seems like a really bad idea. >=20 > I agree. There is no needs to deal with privileges revocation at all if > "uucp" user itself is well restricted, just protect system "uucp" owned > binaries from owerwritting by "uucp" user using schg flag. That doesn't protect NFS-mounted systems, and doesn't prevent arbitrary users from reading/modifying the UUCP spool files. Kris --rJwd6BRFiFCcLxzm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mswxWry0BWjoQKURAp32AJ490Un7HFu9RX4ZM1BRl2xMrhLbawCeMRVD 1l4ASx2eVxt1qTlI066TCQU= =Waf9 -----END PGP SIGNATURE----- --rJwd6BRFiFCcLxzm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19: 0:35 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 2238437B40A; Sat, 8 Sep 2001 19:00:29 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f891x4C34643; Sun, 9 Sep 2001 05:59:04 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 05:59:03 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909055903.A34519@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <20010908185415.A5619@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote: >=20 > Yeah, thats probably a good change to make. However the uucp > vulnerability still lets e.g. arbitrary users read/modify uucp spool > data, create files, access the uucp:dialer devices, etc. All you mention is historical old-days uucp subsystem bad 'features', it is not fool proff and require ethic behaviour of its users. To eliminate this things main uucp developers must be contacted, because this things hardly integrated in normal usage flow and can't be deattached easily. I.e. it is not FreeBSD security problem but uucp problem (as designed). All we need is to protect uucp binaries from modifications (via schg). --=20 Andrey A. Chernov http://ache.pp.ru/ --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rM5+JgpPLZnQjrAQGk7wP+O8XJJZhw/le2xxseELLWnHhRO6clY+o4 +36koQrNRLqq0b0dGOXTu4ARDVC+jCu5qPDH0y1lN58AwJm8Ltp57dR1sShac6sN jbjhAYF7ntRhJXccOSVzRel9v0lueUTNhIcSl+gnSNyPeRi6Mnxlec7S+SPemtaq 0UA4YnSLDSw= =S0J6 -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19: 3:15 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 4A7B337B408; Sat, 8 Sep 2001 19:03:09 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f8921j034731; Sun, 9 Sep 2001 06:01:45 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:01:44 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909060144.B34519@nagual.pp.ru> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="E39vaYmALEf/7YXx" Content-Disposition: inline In-Reply-To: <20010908185602.B5619@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --E39vaYmALEf/7YXx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 18:56:02 -0700, Kris Kennaway wrote: >=20 > That doesn't protect NFS-mounted systems, and doesn't prevent Don't have ideas about NFS. Is schg not works there? > arbitrary users from reading/modifying the UUCP spool files. It is bad design of UUCP, it is not our problem. Moreover, it can't be fixed easily without total UUCP redesign. See my prev. message explaining it more. --=20 Andrey A. Chernov http://ache.pp.ru/ --E39vaYmALEf/7YXx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rNiOJgpPLZnQjrAQENHQP7BVdBvd1NFKrGNyo7J9NOaEa0gN+810OI wj2bUrvGlDD/Q5wJAVwzxzxKcVwLaWEuO/3zGDp8yu3XZQsoHWYH4LdUdbYFmWCn vWdyKWxMbNBvATPblHt2GSQ/iHLZthMnCzlKPdQlF+d10Wi8Bup09GgRqkQOgolV +zCwVw7PqbE= =4hb3 -----END PGP SIGNATURE----- --E39vaYmALEf/7YXx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19: 7: 8 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 90AAB37B401; Sat, 8 Sep 2001 19:07:01 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 207CF66E58; Sat, 8 Sep 2001 19:07:01 -0700 (PDT) Date: Sat, 8 Sep 2001 19:07:00 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908190700.A5881@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909055903.A34519@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 05:59:03AM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 05:59:03AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 18:54:15 -0700, Kris Kennaway wrote: > >=20 > > Yeah, thats probably a good change to make. However the uucp > > vulnerability still lets e.g. arbitrary users read/modify uucp spool > > data, create files, access the uucp:dialer devices, etc. >=20 > All you mention is historical old-days uucp subsystem bad 'features', it > is not fool proff and require ethic behaviour of its users. To eliminate > this things main uucp developers must be contacted, because this things > hardly integrated in normal usage flow and can't be deattached easily. >=20 > I.e. it is not FreeBSD security problem but uucp problem (as designed). > All we need is to protect uucp binaries from modifications (via schg). Hmm. These flaws in the UUCP suite need to be documented, then. I'm also very uneasy at having a local root exploited foiled only by the setting of UFS file flags (mostly because of the NFS-mounted /usr case). I think it's finally time to make UUCP into a port: I'll work on that later tonight. Kris --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ms7EWry0BWjoQKURAuC3AJ4pcRUxdoH5eLUPbjARvB8kaTJr+wCg1gnG fbpUR2H4kCFObrb4Am7Nb/M= =i5+C -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19:10:20 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 1B45737B401; Sat, 8 Sep 2001 19:10:14 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id AEC1866D0A; Sat, 8 Sep 2001 19:10:13 -0700 (PDT) Date: Sat, 8 Sep 2001 19:10:13 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908191013.B5881@xor.obsecurity.org> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="1LKvkjL3sHcu1TtY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909060144.B34519@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 06:01:44AM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 06:01:44AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 18:56:02 -0700, Kris Kennaway wrote: > >=20 > > That doesn't protect NFS-mounted systems, and doesn't prevent >=20 > Don't have ideas about NFS. Is schg not works there? Actually, I think I was overstating a bit. You can't set UFS file flags on an NFS volume, but they should work fine if already set on the server and /usr is mounted by a client. What will break is trying to do an installworld onto a remote NFS volume, or installworld within a jail, since in order for that to succeed you have to tell it not to set file flags, and that will leave you with a local root exploit on the installed system. > > arbitrary users from reading/modifying the UUCP spool files. >=20 > It is bad design of UUCP, it is not our problem. Moreover, it can't be > fixed easily without total UUCP redesign. See my prev. message explaining > it more. Fair enough. Kris --1LKvkjL3sHcu1TtY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ms+FWry0BWjoQKURAn+QAJ9y0f+N+136QeDZwgWTZeY+glk8qwCg5B3a sC89TS409DO7yOcnIRXGvbs= =Jt6o -----END PGP SIGNATURE----- --1LKvkjL3sHcu1TtY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19:15:54 2001 Delivered-To: freebsd-audit@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id F2CB837B405 for ; Sat, 8 Sep 2001 19:15:51 -0700 (PDT) Received: (qmail 92789 invoked by uid 1000); 9 Sep 2001 02:15:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Sep 2001 02:15:49 -0000 Date: Sat, 8 Sep 2001 21:15:49 -0500 (CDT) From: Mike Silbersack To: Kris Kennaway Cc: "Andrey A. Chernov" , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , , Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. In-Reply-To: <20010908190700.A5881@xor.obsecurity.org> Message-ID: <20010908211441.A48947-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 8 Sep 2001, Kris Kennaway wrote: > Hmm. These flaws in the UUCP suite need to be documented, then. > > I'm also very uneasy at having a local root exploited foiled only by > the setting of UFS file flags (mostly because of the NFS-mounted /usr > case). > > I think it's finally time to make UUCP into a port: I'll work on that > later tonight. > > Kris If uustat being called from the daily scripts is the exploit "vector", can't we just remove uustat from the daily scripts for now? I doubt many of us use uucp, and those that do can get along without daily stats for a little while. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19:17:34 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id EEDA037B403; Sat, 8 Sep 2001 19:17:26 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f892G2M34965; Sun, 9 Sep 2001 06:16:03 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:16:01 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909061601.A34828@nagual.pp.ru> References: <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010908185415.A5619@xor.obsecurity.org> <20010909055903.A34519@nagual.pp.ru> <20010908190700.A5881@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline In-Reply-To: <20010908190700.A5881@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 19:07:00 -0700, Kris Kennaway wrote: > > I.e. it is not FreeBSD security problem but uucp problem (as designed). > > All we need is to protect uucp binaries from modifications (via schg). >=20 > Hmm. These flaws in the UUCP suite need to be documented, then. The are documented (read docs :-) not as 'flaws' but as normal functionality. By specifying the same system as anybody else you can easily create havoc there, but UUCP assume that it is 'never happens' or handled by system admin reactions. Users that have uucp access treated as one team, not enemies. > I think it's finally time to make UUCP into a port: I'll work on that > later tonight. Maybe. It is rarely enough used nowdays to deserve that. --=20 Andrey A. Chernov http://ache.pp.ru/ --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rQ4eJgpPLZnQjrAQGnpQQA3YL/ntWxnFyDfMSfibmHcLsuYwlrxfg/ 6Xg+9cVgPa6Ws1ZRTuU+gwOz0wT9hutSR62JvZ26rlI4rG+in1HPIuPrbuBkRMj/ bZEj5bQ1/6KAAx1gihXkCFfcpNX8b/Uijczz7jhNZxlHbjb3FBfa5zmk46WHaUj/ 5KnvVcXkTxY= =bgyD -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19:21:55 2001 Delivered-To: freebsd-audit@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id E944E37B403; Sat, 8 Sep 2001 19:21:48 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f892KQ935017; Sun, 9 Sep 2001 06:20:26 +0400 (MSD) (envelope-from ache) Date: Sun, 9 Sep 2001 06:20:25 +0400 From: "Andrey A. Chernov" To: Kris Kennaway Cc: "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010909062025.B34828@nagual.pp.ru> References: <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> <20010908191013.B5881@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: <20010908191013.B5881@xor.obsecurity.org> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 19:10:13 -0700, Kris Kennaway wrote: > Actually, I think I was overstating a bit. You can't set UFS file > flags on an NFS volume, but they should work fine if already set on > the server and /usr is mounted by a client. >=20 > What will break is trying to do an installworld onto a remote NFS > volume, or installworld within a jail, since in order for that to > succeed you have to tell it not to set file flags, and that will leave > you with a local root exploit on the installed system. This is different problem we already have in other places, since we install f.e. libc, sliplogin, login, chpass, etc. etc. with -fschg It means no remote NFS installation allowed. --=20 Andrey A. Chernov http://ache.pp.ru/ --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBO5rR6eJgpPLZnQjrAQFb3QQA0zpLYjrB6n8Qeqa2JDlNBG3E156a00Hr 1Y3h6xLDx7x+Aqho+IOg2ukLdNu8gyOBxOyoiqXTpSa9e8frMHGeh3WiCk7wZZRq EeFRjmVtAk4EN6zy9ohwtVYHjy/xrPkPoCL3j5ykpsXwpWY5jnB4brVDUoblsrYE 4ouE6wBiFmo= =qb5e -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 19:33: 0 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 485D137B405; Sat, 8 Sep 2001 19:32:53 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C6C5C66D0A; Sat, 8 Sep 2001 19:32:52 -0700 (PDT) Date: Sat, 8 Sep 2001 19:32:52 -0700 From: Kris Kennaway To: "Andrey A. Chernov" Cc: Kris Kennaway , "Todd C. Miller" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908193252.A7066@xor.obsecurity.org> References: <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> <20010908191013.B5881@xor.obsecurity.org> <20010909062025.B34828@nagual.pp.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010909062025.B34828@nagual.pp.ru>; from ache@nagual.pp.ru on Sun, Sep 09, 2001 at 06:20:25AM +0400 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2001 at 06:20:25AM +0400, Andrey A. Chernov wrote: > On Sat, Sep 08, 2001 at 19:10:13 -0700, Kris Kennaway wrote: > > Actually, I think I was overstating a bit. You can't set UFS file > > flags on an NFS volume, but they should work fine if already set on > > the server and /usr is mounted by a client. > >=20 > > What will break is trying to do an installworld onto a remote NFS > > volume, or installworld within a jail, since in order for that to > > succeed you have to tell it not to set file flags, and that will leave > > you with a local root exploit on the installed system. >=20 > This is different problem we already have in other places, since we > install f.e. libc, sliplogin, login, chpass, etc. etc. with -fschg >=20 > It means no remote NFS installation allowed. That's slightly different: the fact that those files don't have the schg flags doesn't expose any runtime security holes, it just means that root can overwrite them. The difference is that here *any* user can overwrite the uu* binaries, which is equivalent to a local root exploit if root runs that binary (which it does currently, once a day). Kris --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mtTUWry0BWjoQKURAmJqAJ9tdgURj1BSlA7hEbxlD1ZLR9P+cgCgsc0+ guQXT9Ana05/ud+XtT4mL+c= =ndkQ -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Sep 8 21:52: 5 2001 Delivered-To: freebsd-audit@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 1CD7437B406; Sat, 8 Sep 2001 21:52:01 -0700 (PDT) Received: (from dillon@localhost) by earth.backplane.com (8.11.6/8.11.2) id f894puV31109; Sat, 8 Sep 2001 21:51:56 -0700 (PDT) (envelope-from dillon) Date: Sat, 8 Sep 2001 21:51:56 -0700 (PDT) From: Matt Dillon Message-Id: <200109090451.f894puV31109@earth.backplane.com> To: "Andrey A. Chernov" , Kris Kennaway , "Todd C. Miller" , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. References: <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> <20010909054457.A34319@nagual.pp.ru> <20010908185602.B5619@xor.obsecurity.org> <20010909060144.B34519@nagual.pp.ru> <20010908191013.B5881@xor.obsecurity.org> <20010909062025.B34828@nagual.pp.ru> <20010908193252.A7066@xor.obsecurity.org> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Wow. A lot of replies on this thread! I've read every one and would like to interject a couple of points if I may: * Regardless of security problems with the uucp binaries, it is still our job to protect root. * No binary in a standard system path (/bin, /usr/bin, /sbin, /usr/sbin) should be editable by non-root, no matter what. Even if cron doesn't run the binary, a sysop su'd to root might, or someone from another user account. 'schg' accomplishes this. * I don't understand the person who was saying that NFS installs wouldn't work. I use NFS based installs for everything, it works fine. The typical method is to remotely mount /usr/src and do a local 'make installworld', not to remotely mount the destination host and do the 'make installworld' with the mount as a target. * Several other binaries, such as 'man', are already installed noschg, as well as some libraries. We aren't breaking new ground here. I think it's worth getting into -stable for the release, but it's Jordan's decision. I *am* going to commit the schg changes to -current now since there does not seem to be any opposition to it. Remember guys: security should always be a layered onion approach, we are not precluding additional fixes by making this change. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message