From owner-freebsd-security@FreeBSD.ORG Sun Mar 7 01:36:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12AC516A4CE; Sun, 7 Mar 2004 01:36:30 -0800 (PST) Received: from tog.net (tog.net [216.89.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0DE743D2F; Sun, 7 Mar 2004 01:36:29 -0800 (PST) (envelope-from ender@tog.net) Received: by tog.net (Postfix, from userid 96) id 4E84129B620; Sun, 7 Mar 2004 04:36:29 -0500 (EST) Received: from tog.net (host-216-89-225-139.terranova.net [216.89.225.139]) by tog.net (Postfix) with ESMTP id 85F0629B61B; Sun, 7 Mar 2004 04:36:27 -0500 (EST) Message-ID: <404AEE63.8030602@tog.net> Date: Sun, 07 Mar 2004 04:41:55 -0500 From: Ender User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-bugs@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63-terranovanet_v5 (2004-01-11) on spamslapper.terranova.net X-Spam-Level: X-Spam-Status: No, hits=0.1 required=7.5 tests=AWL autolearn=no version=2.63-terranovanet_v5 Subject: strace hard lock X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 09:36:30 -0000 Topic: strace casues hardlock. no kernel panic. userland tool Category: kernel Program: strace Affects: FreeBSD releases 5.x and later. problem: When a normal user (or root user) users strace on certain binarys, the system will hardlock up, with no kernel panic. (numlock doesnt turn on and off, no ssh or console access). Im using strace from the ports collection. The crash seemed to occure when exiting strace from a running program, Also the crash would not happen 100% of the time leaving a program, but it never took more than 3 times to casue the crash. Repeatable: i repeated this bug on 2 different systems both were SMP. 2 procs. I have not been able to test on a UP system yet. The main program i am running, also the easyest to casue the crash can be found at the following links: http://www.pvpgn.de/files.aspx?file=pvpgn-1.6.0beta.tar.bz2 http://www.pvpgn.de/files.aspx?file=pvpgn-1.6.0beta.tar.gz From owner-freebsd-security@FreeBSD.ORG Sun Mar 7 01:40:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DB5C16A4CE; Sun, 7 Mar 2004 01:40:11 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 776AF43D1D; Sun, 7 Mar 2004 01:40:10 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 5E0D31FFDD6; Sun, 7 Mar 2004 10:40:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 8DBFF1FFDD4; Sun, 7 Mar 2004 10:40:06 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 81F53154D7; Sun, 7 Mar 2004 09:37:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 775E91538C; Sun, 7 Mar 2004 09:37:17 +0000 (UTC) Date: Sun, 7 Mar 2004 09:37:17 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Mark Ogden In-Reply-To: <20040306225041.GA29333@yem.eng.utah.edu> Message-ID: References: <200403021955.i22Jtix2024059@freefall.freebsd.org> <20040303135336.GA2217@lum.celabo.org> <20040306225041.GA29333@yem.eng.utah.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: "Jacques A. Vidrine" cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:04.tcp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 09:40:11 -0000 On Sat, 6 Mar 2004, Mark Ogden wrote: > Jacques A. Vidrine on Wed, Mar 03, 2004 at 07:53:36AM -0600 wrote: > > On Wed, Mar 03, 2004 at 12:04:05PM +0100, Gordon Bergling wrote: > > > Is there any chance to get this fixed in RELENG_5_1? > > > > I intend to do so as time allows. > > Any word on when the fix of 5.1 will be ready? by simply taking the 5.2 patch and applying it you will get two rejects which seem to be easily resolvable by hand - if the patch will dtrt is another question. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-security@FreeBSD.ORG Sun Mar 7 08:48:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 590DF16A4CE; Sun, 7 Mar 2004 08:48:11 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFCDC43D3F; Sun, 7 Mar 2004 08:48:10 -0800 (PST) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1B01Rh-0001jP-00; Sun, 07 Mar 2004 17:48:09 +0100 Received: from [212.202.171.90] (helo=ergo.nruns.com) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1B01Rh-0004kb-00; Sun, 07 Mar 2004 17:48:09 +0100 Received: by ergo.nruns.com (Postfix, from userid 1001) id 5466B119; Sun, 7 Mar 2004 17:44:30 +0100 (CET) Date: Sun, 7 Mar 2004 17:44:28 +0100 From: jan.muenther@nruns.com To: Ender Message-ID: <20040307164428.GA763@ergo.nruns.com> References: <404AEE63.8030602@tog.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <404AEE63.8030602@tog.net> User-Agent: Mutt/1.4i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org cc: freebsd-bugs@freebsd.org Subject: Re: strace hard lock X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 16:48:11 -0000 Hm, hm. Well, normally, one would use truss or ktrace, since strace isn't part of the base system. Also, are you sure you're not simply running out of system resources, like forkbombing or something? Tried the same thing with a restricted user? I couldn't reproduce it over here, on a single CPU 5.2.1 box. From owner-freebsd-security@FreeBSD.ORG Mon Mar 8 01:36:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F34416A4CE for ; Mon, 8 Mar 2004 01:36:43 -0800 (PST) Received: from darkness.comp.waw.pl (unknown [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC52A43D3F for ; Mon, 8 Mar 2004 01:36:42 -0800 (PST) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 3332DACADB; Mon, 8 Mar 2004 10:36:42 +0100 (CET) Date: Mon, 8 Mar 2004 10:36:42 +0100 From: Pawel Jakub Dawidek To: freebsd-security@freebsd.org Message-ID: <20040308093642.GI10864@darkness.comp.waw.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BVXm2WAry1WzRMtx" Content-Disposition: inline User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 Subject: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 09:36:43 -0000 --BVXm2WAry1WzRMtx Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. I've no response from so@ in this topic, probably because leak of time, so I'll try here. Here is a patch that I'm planing to commit: http://people.freebsd.org/~pjd/patches/restricted_hardlinks.patch It adds two new sysctls: security.bsd.hardlink_check_uid security.bsd.hardlink_check_gid If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged users are not permitted to create hard links to files not owned by them. If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged users are not permitted to create hard links to files if they are not member of file's group. For now user is able to create hardlinks to any files. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --BVXm2WAry1WzRMtx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFATD6qForvXbEpPzQRAiTaAKCfMXA2A16hSpkekHEVorj7V+p7GACeMUyt KwUJryIp77pUS/B87rmDEwA= =vl8P -----END PGP SIGNATURE----- --BVXm2WAry1WzRMtx-- From owner-freebsd-security@FreeBSD.ORG Mon Mar 8 02:43:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BD7A16A4CE; Mon, 8 Mar 2004 02:43:10 -0800 (PST) Received: from darkness.comp.waw.pl (unknown [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FF8543D48; Mon, 8 Mar 2004 02:43:09 -0800 (PST) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id E7315AEA50; Mon, 8 Mar 2004 11:43:05 +0100 (CET) Date: Mon, 8 Mar 2004 11:43:05 +0100 From: Pawel Jakub Dawidek To: Tim Robbins Message-ID: <20040308104305.GJ10864@darkness.comp.waw.pl> References: <20040308093642.GI10864@darkness.comp.waw.pl> <20040308102555.GA85110@cat.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="acY8GN8fvSPNWryy" Content-Disposition: inline In-Reply-To: <20040308102555.GA85110@cat.robbins.dropbear.id.au> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-security@freebsd.org Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 10:43:10 -0000 --acY8GN8fvSPNWryy Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 08, 2004 at 09:25:55PM +1100, Tim Robbins wrote: +> > It adds two new sysctls: +> >=20 +> > security.bsd.hardlink_check_uid +> > security.bsd.hardlink_check_gid +> >=20 +> > If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged us= ers +> > are not permitted to create hard links to files not owned by them. +> > If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged us= ers +> > are not permitted to create hard links to files if they are not member +> > of file's group. +> >=20 +> > For now user is able to create hardlinks to any files. +>=20 +> It might be more consistent with other UNIX access checks (e.g. vaccess(= )) +> if having the same uid as the file was sufficient to link to it, +> without having to be a group member. I can't convince myself either way +> on this, but it's worth thinking about. So you need to set security.bsd.hardlink_check_uid and don't touch security.bsd.hardlink_check_gid. +> Also be aware that as a side effect of this patch, old applications that= use +> the unlink()/link()/unlink() sequence instead of the rename() system call +> may not be able to rename files they don't own. Default values for those sysctls is 0, so system behaviour will change only on administrator request. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --acY8GN8fvSPNWryy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFATE45ForvXbEpPzQRAktnAKCozr3T4aVZ/YedQe3eVJLjnLjyBQCeMxXU m6uCZnHVrBYZPWqFpq4V2t8= =P19i -----END PGP SIGNATURE----- --acY8GN8fvSPNWryy-- From owner-freebsd-security@FreeBSD.ORG Mon Mar 8 14:08:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45D3E16A4CE for ; Mon, 8 Mar 2004 14:08:31 -0800 (PST) Received: from darkness.comp.waw.pl (unknown [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8565943D1F for ; Mon, 8 Mar 2004 14:08:30 -0800 (PST) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 1C692AEA4F; Mon, 8 Mar 2004 23:08:28 +0100 (CET) Date: Mon, 8 Mar 2004 23:08:28 +0100 From: Pawel Jakub Dawidek To: "Georg-W. Koltermann" Message-ID: <20040308220828.GP10864@darkness.comp.waw.pl> References: <20040308093642.GI10864@darkness.comp.waw.pl> <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NiDZvZUadYKQfYjZ" Content-Disposition: inline In-Reply-To: <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-security@freebsd.org Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 22:08:31 -0000 --NiDZvZUadYKQfYjZ Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 08, 2004 at 10:10:38PM +0100, Georg-W. Koltermann wrote: +> When you restrict links, do you want to restrict copying as well? +>=20 +> Seems somewhat paranoid to me. You already need write permission on the +> directory where you create the link, and permissions are checked against +> the inode on open(2) anyway. This is because this gives an attacker some possibilities. For example he is able to create hard link to some set-uid binary. After some time, a security-related bug will be found in this application, administrator will change it with good version, but old, vulnerable version will be still in system. Administrator have to be really careful when fixing such problems and check number of hard links or just remove such program using 'rm -P'. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --NiDZvZUadYKQfYjZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFATO7cForvXbEpPzQRAvIpAJ9bKqicZVWDBQRJ57qKBsRLwGgO+QCfV1js oVFxSzMdD90ZTqW+V7J2dW8= =00ZR -----END PGP SIGNATURE----- --NiDZvZUadYKQfYjZ-- From owner-freebsd-security@FreeBSD.ORG Tue Mar 9 00:17:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C51AD16A4CE for ; Tue, 9 Mar 2004 00:17:03 -0800 (PST) Received: from shiva.jussieu.fr (shiva.jussieu.fr [134.157.0.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5363F43D58 for ; Tue, 9 Mar 2004 00:16:59 -0800 (PST) (envelope-from cedric.devillers@script.jussieu.fr) Received: from tzolkin.script.jussieu.fr (tzolkin.script.jussieu.fr [134.157.164.8])i298GwID052143 for ; Tue, 9 Mar 2004 09:16:58 +0100 (CET) X-Ids: 165 Received: from ganymede (ganymede.script.jussieu.fr [134.157.164.36]) (8.12.10/8.12.10/SCRIPT-1.1.18.1/1.1.8.1) with SMTP id i298Fjls029088 for ; Tue, 9 Mar 2004 09:15:45 +0100 (MET) Date: Tue, 9 Mar 2004 09:16:39 +0100 From: =?ISO-8859-15?B?Q+lkcmlj?= Devillers To: freebsd-security@freebsd.org Message-Id: <20040309091639.0a3a362a.cedric.devillers@script.jussieu.fr> In-Reply-To: <20040308220828.GP10864@darkness.comp.waw.pl> References: <20040308093642.GI10864@darkness.comp.waw.pl> <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> <20040308220828.GP10864@darkness.comp.waw.pl> X-Mailer: Sylpheed version 0.7.4claws (GTK+ 1.2.10; i386-debian-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Miltered: at shiva.jussieu.fr with ID 404D7D7A.002 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)! X-Antivirus: scanned by sophie at shiva.jussieu.fr Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 08:17:03 -0000 If you create several partition ( /var /usr /home ), this problem is resolved. Generally, in /usr, there are no directory write-able for all. If you have a partition for /usr, no hard link to a set-uid binary ( in the /usr tree ) is possible. On Mon, 8 Mar 2004 23:08:28 +0100 Pawel Jakub Dawidek wrote: > On Mon, Mar 08, 2004 at 10:10:38PM +0100, Georg-W. Koltermann wrote: > +> When you restrict links, do you want to restrict copying as well? > +> > +> Seems somewhat paranoid to me. You already need write permission > on the+> directory where you create the link, and permissions are > checked against+> the inode on open(2) anyway. > > This is because this gives an attacker some possibilities. > For example he is able to create hard link to some set-uid binary. > After some time, a security-related bug will be found in this > application, administrator will change it with good version, but old, > vulnerable version will be still in system. > Administrator have to be really careful when fixing such problems > and check number of hard links or just remove such program using 'rm > -P'. > > -- > Pawel Jakub Dawidek http://www.FreeBSD.org > pjd@FreeBSD.org http://garage.freebsd.pl > FreeBSD committer Am I Evil? Yes, I Am! > From owner-freebsd-security@FreeBSD.ORG Tue Mar 9 01:23:18 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66CD416A4CE for ; Tue, 9 Mar 2004 01:23:18 -0800 (PST) Received: from darkness.comp.waw.pl (unknown [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3F2D43D31 for ; Tue, 9 Mar 2004 01:23:15 -0800 (PST) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 0174EACABF; Tue, 9 Mar 2004 10:23:09 +0100 (CET) Date: Tue, 9 Mar 2004 10:23:09 +0100 From: Pawel Jakub Dawidek To: =?iso-8859-2?Q?C=E9dric?= Devillers Message-ID: <20040309092309.GS10864@darkness.comp.waw.pl> References: <20040308093642.GI10864@darkness.comp.waw.pl> <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> <20040308220828.GP10864@darkness.comp.waw.pl> <20040309091639.0a3a362a.cedric.devillers@script.jussieu.fr> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XZq0mbLCR4KNTYFe" Content-Disposition: inline In-Reply-To: <20040309091639.0a3a362a.cedric.devillers@script.jussieu.fr> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-security@freebsd.org Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 09:23:18 -0000 --XZq0mbLCR4KNTYFe Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 09, 2004 at 09:16:39AM +0100, C=E9dric Devillers wrote: +> If you create several partition ( /var /usr /home ), this problem is +> resolved. Generally, in /usr, there are no directory write-able for all. +> If you have a partition for /usr, no hard link to a set-uid binary ( in +> the /usr tree ) is possible. Believe me, I'm aware of this. This "issue" can be used to other purposes as well. % ln /home//important_file ~/i_cannot_read_it_now_but_maybe_some_day= _i_will_compromise_this_machine Anyway, it is turned off by default and there is no need to use it at all. --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --XZq0mbLCR4KNTYFe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFATYz9ForvXbEpPzQRAmWhAJ0UHofH3RoHMhXxVvoHLplnlItl3QCgyBa9 jBzsxmWkpUEi4biC3Lipp1Q= =2CeU -----END PGP SIGNATURE----- --XZq0mbLCR4KNTYFe-- From owner-freebsd-security@FreeBSD.ORG Mon Mar 8 02:25:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77ACD16A4CE; Mon, 8 Mar 2004 02:25:15 -0800 (PST) Received: from smtp02.syd.iprimus.net.au (smtp02.syd.iprimus.net.au [210.50.76.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id B400743D1F; Mon, 8 Mar 2004 02:25:14 -0800 (PST) (envelope-from tim@robbins.dropbear.id.au) Received: from robbins.dropbear.id.au (210.50.204.155) by smtp02.syd.iprimus.net.au (7.0.024) id 402CF87000709B02; Mon, 8 Mar 2004 21:25:13 +1100 Received: by robbins.dropbear.id.au (Postfix, from userid 1000) id BD98C4161; Mon, 8 Mar 2004 21:25:55 +1100 (EST) Date: Mon, 8 Mar 2004 21:25:55 +1100 From: Tim Robbins To: Pawel Jakub Dawidek Message-ID: <20040308102555.GA85110@cat.robbins.dropbear.id.au> References: <20040308093642.GI10864@darkness.comp.waw.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040308093642.GI10864@darkness.comp.waw.pl> User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Tue, 09 Mar 2004 02:23:24 -0800 cc: freebsd-security@freebsd.org Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 10:25:15 -0000 On Mon, Mar 08, 2004 at 10:36:42AM +0100, Pawel Jakub Dawidek wrote: > Hi. > > I've no response from so@ in this topic, probably because leak of time, > so I'll try here. > > Here is a patch that I'm planing to commit: > > http://people.freebsd.org/~pjd/patches/restricted_hardlinks.patch > > It adds two new sysctls: > > security.bsd.hardlink_check_uid > security.bsd.hardlink_check_gid > > If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged users > are not permitted to create hard links to files not owned by them. > If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged users > are not permitted to create hard links to files if they are not member > of file's group. > > For now user is able to create hardlinks to any files. It might be more consistent with other UNIX access checks (e.g. vaccess()) if having the same uid as the file was sufficient to link to it, without having to be a group member. I can't convince myself either way on this, but it's worth thinking about. Also be aware that as a side effect of this patch, old applications that use the unlink()/link()/unlink() sequence instead of the rename() system call may not be able to rename files they don't own. Tim From owner-freebsd-security@FreeBSD.ORG Mon Mar 8 13:10:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E23C16A4CE; Mon, 8 Mar 2004 13:10:42 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97EE443D1F; Mon, 8 Mar 2004 13:10:41 -0800 (PST) (envelope-from gwk@rahn-koltermann.de) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1B0S1I-00037S-00; Mon, 08 Mar 2004 22:10:40 +0100 Received: from [217.232.140.98] (helo=[192.168.0.3]) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1B0S1I-0002Sd-00; Mon, 08 Mar 2004 22:10:40 +0100 From: "Georg-W. Koltermann" To: Pawel Jakub Dawidek In-Reply-To: <20040308093642.GI10864@darkness.comp.waw.pl> References: <20040308093642.GI10864@darkness.comp.waw.pl> Content-Type: text/plain Message-Id: <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Mon, 08 Mar 2004 22:10:38 +0100 Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:90bcaad5e51ecc993b2919ba4b74e6dc X-Mailman-Approved-At: Tue, 09 Mar 2004 02:23:24 -0800 cc: freebsd-security@freebsd.org Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 21:10:42 -0000 When you restrict links, do you want to restrict copying as well? Seems somewhat paranoid to me. You already need write permission on the directory where you create the link, and permissions are checked against the inode on open(2) anyway. My $0.0002. -- Regards, Georg. Am Mo, den 08.03.2004 schrieb Pawel Jakub Dawidek um 10:36: > Hi. > > I've no response from so@ in this topic, probably because leak of time, > so I'll try here. > > Here is a patch that I'm planing to commit: > > http://people.freebsd.org/~pjd/patches/restricted_hardlinks.patch > > It adds two new sysctls: > > security.bsd.hardlink_check_uid > security.bsd.hardlink_check_gid > > If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged users > are not permitted to create hard links to files not owned by them. > If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged users > are not permitted to create hard links to files if they are not member > of file's group. > > For now user is able to create hardlinks to any files. From owner-freebsd-security@FreeBSD.ORG Tue Mar 9 16:34:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A6E16A4CF; Tue, 9 Mar 2004 16:34:51 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7139543D2D; Tue, 9 Mar 2004 16:34:51 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i2A0XMxC056386; Tue, 9 Mar 2004 19:33:22 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)i2A0XGIV056383; Tue, 9 Mar 2004 19:33:21 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 9 Mar 2004 19:33:16 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Georg-W. Koltermann" In-Reply-To: <1078780238.1937.11.camel@localhost.muc.eu.mscsoftware.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@FreeBSD.org cc: Pawel Jakub Dawidek Subject: Re: Call for review: restricted hardlinks. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 00:34:52 -0000 On Mon, 8 Mar 2004, Georg-W. Koltermann wrote: > When you restrict links, do you want to restrict copying as well? > > Seems somewhat paranoid to me. You already need write permission on the > directory where you create the link, and permissions are checked against > the inode on open(2) anyway. The "classic hard link attack" is to find a writable directory in a partition containing setuid/setgid binaries, hard link them all to that directory, then wait for an exploit to be discovered in one of them. The administrator will apply the patches, rebuild, binary update, or whatever, and think they're covered, but the attacker still has a reference that can be executed later. This might be employed against /usr/{bin,sbin,local} using /usr/tmp, or {/sbin,/bin} using /tmp in default file system layouts. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research > > My $0.0002. > > -- > Regards, > Georg. > > Am Mo, den 08.03.2004 schrieb Pawel Jakub Dawidek um 10:36: > > Hi. > > > > I've no response from so@ in this topic, probably because leak of time, > > so I'll try here. > > > > Here is a patch that I'm planing to commit: > > > > http://people.freebsd.org/~pjd/patches/restricted_hardlinks.patch > > > > It adds two new sysctls: > > > > security.bsd.hardlink_check_uid > > security.bsd.hardlink_check_gid > > > > If sysctl security.bsd.hardlink_check_uid is set to 1, unprivileged users > > are not permitted to create hard links to files not owned by them. > > If sysctl security.bsd.hardlink_check_gid is set to 1, unprivileged users > > are not permitted to create hard links to files if they are not member > > of file's group. > > > > For now user is able to create hardlinks to any files. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 03:06:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEF3D16A4CE for ; Fri, 12 Mar 2004 03:06:55 -0800 (PST) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCF8743D39 for ; Fri, 12 Mar 2004 03:06:54 -0800 (PST) (envelope-from ru@ip.net.ua) Received: from heffalump.office.ipnet (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.10/8.12.9) with ESMTP id i2CBAiee052395 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 Mar 2004 13:10:45 +0200 (EET) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.office.ipnet (8.12.11/8.12.11) id i2CB6vPo052227; Fri, 12 Mar 2004 13:06:57 +0200 (EET) (envelope-from ru) Date: Fri, 12 Mar 2004 13:06:57 +0200 From: Ruslan Ermilov To: Morten Rodal Message-ID: <20040312110657.GB52099@ip.net.ua> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="r5Pyd7+fXNt84Ff3" Content-Disposition: inline In-Reply-To: <20040312105730.GA99925@stud326.idi.ntnu.no> User-Agent: Mutt/1.5.6i X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 11:06:56 -0000 --r5Pyd7+fXNt84Ff3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 12, 2004 at 11:57:30AM +0100, Morten Rodal wrote: > On Fri, Mar 12, 2004 at 12:49:14PM +0200, Ruslan Ermilov wrote: > > On Fri, Mar 12, 2004 at 10:22:00AM +0100, Morten Rodal wrote: > > > >Description: > > > ls(1) calls the fts(3) functions for traversing a file hierarchy. > > > If ls(1) is executed via execve(2) system call with a NULL argv > > > and envp it will make the fts(3) functions core dump with a > > > SIGBUS. > > >=20 > > > If execve(2) is executed with a NULL (I am not sure this is > > > legal?) argv, the executed program will have an argc value of -1. > > >=20 > > > >How-To-Repeat: > > > #include > > > #include > > >=20 > > > int main(int argc, char **argv) { > > > execve("/bin/ls", NULL, NULL); > > >=20 > > > return (1); > > > } > >=20 > > The execve(2) manpage says: > >=20 > > : The argument argv is a pointer to a null-terminated array of character > > : pointers to null-terminated character strings. These strings constru= ct > > : the argument list to be made available to the new process. At least = one > > : argument must be present in the array; by custom, the first element > > : should be the name of the executed program (for example, the last com= po- > > : nent of path). > >=20 > >=20 >=20 > Indeed you are correct, but I would have wished that execve(2) could > set argc =3D 0 and not -1 for the newly created process. However I > think this is a standards issue and I'll just correct this program to > include argv and envp vectors when calling execve(2). >=20 > Thanks for the quick response. >=20 The problem is not with execve(2) (which correctly sets argc to 0), but with the standard getopt(3) usage: : while ((ch =3D getopt(argc, argv, "bf:")) !=3D -1) : switch (ch) { : ... : default: : usage(); : } : argc -=3D optind; : argv +=3D optind; And the fact that optind is initially set to 1. I wonder what could be the implications for setuid programs. There could be quite unpredictable results, as the "argv" pointer is incorrectly advanced in this case, and at least several setuid programs that I've glanced at are vulnerable to this attack. Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --r5Pyd7+fXNt84Ff3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUZnRUkv4P6juNwoRAn8UAJ9umI1JJFx5VE4iPJT/9INroNdntwCfYPjP WCACD7ftH7/D0zYItIK7HrA= =0y99 -----END PGP SIGNATURE----- --r5Pyd7+fXNt84Ff3-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 03:15:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBE3316A4CE; Fri, 12 Mar 2004 03:15:26 -0800 (PST) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DE8243D31; Fri, 12 Mar 2004 03:15:26 -0800 (PST) (envelope-from marcolz@stack.nl) Received: from hammer.stack.nl (hammer.stack.nl [2001:610:1108:5010::153]) by mailhost.stack.nl (Postfix) with ESMTP id 40519BCC#4ECF81F017; Fri, 12 Mar 2004 12:15:24 +0100 (CET) Received: by hammer.stack.nl (Postfix, from userid 333) id 5D9A161B7; Fri, 12 Mar 2004 12:15:26 +0100 (CET) Date: Fri, 12 Mar 2004 12:15:26 +0100 From: Marc Olzheim To: Ruslan Ermilov Message-ID: <20040312111526.GA14260@stack.nl> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040312110657.GB52099@ip.net.ua> X-Operating-System: FreeBSD hammer.stack.nl 5.2-CURRENT FreeBSD 5.2-CURRENT X-URL: http://www.stack.nl/~marcolz/ User-Agent: Mutt/1.5.6i cc: Morten Rodal cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 11:15:26 -0000 On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > And the fact that optind is initially set to 1. I wonder what > could be the implications for setuid programs. There could be > quite unpredictable results, as the "argv" pointer is incorrectly > advanced in this case, and at least several setuid programs that > I've glanced at are vulnerable to this attack. See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738 Marc From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 07:10:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6564916A4CE; Fri, 12 Mar 2004 07:10:34 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2252143D2F; Fri, 12 Mar 2004 07:10:34 -0800 (PST) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id AA8F754883; Fri, 12 Mar 2004 09:10:33 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 94285-09; Fri, 12 Mar 2004 09:10:23 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D0B5A54846; Fri, 12 Mar 2004 09:09:52 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 501) id 5794B162788; Fri, 12 Mar 2004 06:58:20 -0600 (CST) Date: Fri, 12 Mar 2004 06:58:20 -0600 From: "Jacques A. Vidrine" To: Marc Olzheim Message-ID: <20040312125820.GA8574@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Marc Olzheim , Ruslan Ermilov , Morten Rodal , security@FreeBSD.org References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> <20040312111526.GA14260@stack.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040312111526.GA14260@stack.nl> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: Morten Rodal cc: Ruslan Ermilov cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 15:10:34 -0000 On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote: > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > > And the fact that optind is initially set to 1. I wonder what > > could be the implications for setuid programs. There could be > > quite unpredictable results, as the "argv" pointer is incorrectly > > advanced in this case, and at least several setuid programs that > > I've glanced at are vulnerable to this attack. > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738 Thanks Ruslan, Marc, I think kern/33738 is on the money. I do not see any immediate ramifications, but for peace of mind I believe that exec should fail if the argument array pointer is NULL. I believe this would be consistent with the relevant standards: POSIX already requires (a) that the first argument ``should point to a filename that is associated with the process being started'' and (b) ``the last member of this array is a null pointer''--- i.e. the array pointer cannot be NULL. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 07:18:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0052316A4CE; Fri, 12 Mar 2004 07:18:57 -0800 (PST) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8451843D48; Fri, 12 Mar 2004 07:18:55 -0800 (PST) (envelope-from ru@ip.net.ua) Received: from heffalump.office.ipnet (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.10/8.12.9) with ESMTP id i2CFMkee057994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 Mar 2004 17:22:48 +0200 (EET) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.office.ipnet (8.12.11/8.12.11) id i2CFImct002270; Fri, 12 Mar 2004 17:18:48 +0200 (EET) (envelope-from ru) Date: Fri, 12 Mar 2004 17:18:48 +0200 From: Ruslan Ermilov To: "Jacques A. Vidrine" , Marc Olzheim , Morten Rodal , security@FreeBSD.org Message-ID: <20040312151848.GA2235@ip.net.ua> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> <20040312111526.GA14260@stack.nl> <20040312125820.GA8574@lum.celabo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline In-Reply-To: <20040312125820.GA8574@lum.celabo.org> User-Agent: Mutt/1.5.6i X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 15:18:57 -0000 --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote: > On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote: > > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > > > And the fact that optind is initially set to 1. I wonder what > > > could be the implications for setuid programs. There could be > > > quite unpredictable results, as the "argv" pointer is incorrectly > > > advanced in this case, and at least several setuid programs that > > > I've glanced at are vulnerable to this attack. > >=20 > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D33738 >=20 > Thanks Ruslan, Marc, >=20 > I think kern/33738 is on the money. I do not see any immediate > ramifications, but for peace of mind I believe that exec should fail if > the argument array pointer is NULL. >=20 > I believe this would be consistent with the relevant standards: POSIX > already requires (a) that the first argument ``should point to a > filename that is associated with the process being started'' and (b) > ``the last member of this array is a null pointer''--- i.e. the array > pointer cannot be NULL. >=20 I will track it down later today, and follow-up with what I have. Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUdTYUkv4P6juNwoRAixQAKCBSw56kFsoRc4aG86/dF/mOArQFgCfeHvd ObYBZ5wWQnSm1EH7BVbgufw= =Yj5+ -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 07:46:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2085916A4CE; Fri, 12 Mar 2004 07:46:11 -0800 (PST) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A184343D4C; Fri, 12 Mar 2004 07:46:09 -0800 (PST) (envelope-from ru@ip.net.ua) Received: from heffalump.office.ipnet (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.10/8.12.9) with ESMTP id i2CFnxee058711 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 Mar 2004 17:50:00 +0200 (EET) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.office.ipnet (8.12.11/8.12.11) id i2CFk0sC002502; Fri, 12 Mar 2004 17:46:00 +0200 (EET) (envelope-from ru) Date: Fri, 12 Mar 2004 17:46:00 +0200 From: Ruslan Ermilov To: "Jacques A. Vidrine" Message-ID: <20040312154600.GC2235@ip.net.ua> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> <20040312111526.GA14260@stack.nl> <20040312125820.GA8574@lum.celabo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline In-Reply-To: <20040312125820.GA8574@lum.celabo.org> User-Agent: Mutt/1.5.6i X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 15:46:11 -0000 --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote: > On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote: > > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > > > And the fact that optind is initially set to 1. I wonder what > > > could be the implications for setuid programs. There could be > > > quite unpredictable results, as the "argv" pointer is incorrectly > > > advanced in this case, and at least several setuid programs that > > > I've glanced at are vulnerable to this attack. > >=20 > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D33738 >=20 > Thanks Ruslan, Marc, >=20 > I think kern/33738 is on the money. I do not see any immediate > ramifications, but for peace of mind I believe that exec should fail if > the argument array pointer is NULL. >=20 > I believe this would be consistent with the relevant standards: POSIX > already requires (a) that the first argument ``should point to a > filename that is associated with the process being started'' and (b) > ``the last member of this array is a null pointer''--- i.e. the array > pointer cannot be NULL. >=20 As Garrett already pointed out in the PR log, have you considered this? http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag_03_= 130_08 I'm happy with changing our behavior to Strictly Conforming for the goods of security, and you? Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUds4Ukv4P6juNwoRAggyAJ9fSMInyRNirSHvEUe3vWDunGIoJwCdGZ9D KFfxioR9lic6sGOHry/N4jM= =1mUE -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 08:10:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BB2816A4CE; Fri, 12 Mar 2004 08:10:57 -0800 (PST) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A75643D41; Fri, 12 Mar 2004 08:10:56 -0800 (PST) (envelope-from ru@ip.net.ua) Received: from heffalump.office.ipnet (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.10/8.12.9) with ESMTP id i2CGEmee059355 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 Mar 2004 18:14:49 +0200 (EET) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.office.ipnet (8.12.11/8.12.11) id i2CGAnGH002906; Fri, 12 Mar 2004 18:10:49 +0200 (EET) (envelope-from ru) Date: Fri, 12 Mar 2004 18:10:49 +0200 From: Ruslan Ermilov To: Tom Rhodes Message-ID: <20040312161049.GA2872@ip.net.ua> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> <20040312111526.GA14260@stack.nl> <20040312125820.GA8574@lum.celabo.org> <20040312154600.GC2235@ip.net.ua> <20040312110725.698ebe20@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" Content-Disposition: inline In-Reply-To: <20040312110725.698ebe20@localhost> User-Agent: Mutt/1.5.6i X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: "Jacques A. Vidrine" cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 16:10:57 -0000 --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 12, 2004 at 11:07:25AM -0500, Tom Rhodes wrote: > On Fri, 12 Mar 2004 17:46:00 +0200 Ruslan Ermilov wrote: [...] > > As Garrett already pointed out in the PR log, have you considered this? > >=20 > > http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag= _03_130_08 > >=20 > > I'm happy with changing our behavior to Strictly Conforming for the > > goods of security, and you? >=20 > Will it 'break' anything? >=20 Sure it will, the question is should we care about something that's already broken. ;) Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAUeEJUkv4P6juNwoRAt+5AJ9wa4vJpnk0BOBeKCYWj8qSNlIAqACgilE3 5r7hd2MyVutvp5PPX0QXhL0= =iuV5 -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 09:01:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED4D116A4F6; Fri, 12 Mar 2004 09:01:40 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B61A943D2F; Fri, 12 Mar 2004 09:01:40 -0800 (PST) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 4E5DB54840; Fri, 12 Mar 2004 11:01:40 -0600 (CST) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 95277-07; Fri, 12 Mar 2004 11:01:29 -0600 (CST) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id B100C5486E; Fri, 12 Mar 2004 11:01:08 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 501) id C7DD41639FD; Fri, 12 Mar 2004 10:42:27 -0600 (CST) Date: Fri, 12 Mar 2004 10:42:27 -0600 From: "Jacques A. Vidrine" To: Ruslan Ermilov Message-ID: <20040312164227.GC8990@lum.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Ruslan Ermilov , security@FreeBSD.org References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> <20040312111526.GA14260@stack.nl> <20040312125820.GA8574@lum.celabo.org> <20040312154600.GC2235@ip.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040312154600.GC2235@ip.net.ua> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 17:01:41 -0000 On Fri, Mar 12, 2004 at 05:46:00PM +0200, Ruslan Ermilov wrote: > As Garrett already pointed out in the PR log, have you considered this? > > http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag_03_130_08 This doesn't seem to contradict anything we've discussed so far, does it? > I'm happy with changing our behavior to Strictly Conforming for the > goods of security, and you? Isn't that a bonus if it also makes us `Strictly Conforming'? :-) Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org