Date: Tue, 7 Jan 2003 19:35:19 +0100 From: Mark <admin@asarian-host.net> To: <freebsd-questions@freebsd.org> Subject: Re: security vulnerability in dump Message-ID: <200301071835.H07IZMJ40741@asarian-host.net> References: <200301071548.H07FM0J93369@asarian-host.net> <20030107180013.D14422@slave.east.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Andrew Prewett" <andrew@kronos.HomeUnix.com>
To: <freebsd-questions@FreeBSD.ORG>
Sent: Tuesday, January 07, 2003 6:06 PM
Subject: Re: security vulnerability in dump
> Today Mark wrote:
>
> > I believe I have found a security vulnerability in dump, which, under
> > the right conditions, allows any user with shell-access to gain
> > root-privileges.
> >
> > When dumping to a file, dump writes this file chmod 644. When the
> > root-partition is being backed-up, this leaves the dump-file vulnerable
> > to scanning by unprivileged users for the duration of the dump.
> >
> > I tested this, and, as a non-privileged user, was able to extract the
> > root-password from the dump-file using a simple regex:
> > "(/root:(.*?):0:0::0:0:Superuser:/)". This, of course, based on the fact
> > that /etc/master.passwd also becomes part of the dump-file.
> >
> > As to how high to rank this exploitability, I am not sure. Certain
> > conditions need to be met. The dump must be made to file, and the
> > unprivileged user must, naturally, know the name of the dump-file; and
> > the dump, of course, must be made in multi-user mode.
> >
> > Still, I would feel a lot better if the FreeBSD development team made a
> > small adjustment to dump, writing its dump-file chmod 600, which would
> > immediately solve any and all exploitability.
> >
> > If people deem it serious enough, I will file a report.
> >
> > Thanks for listening.
>
> Normally the master.passwd is backed up regularly by cron
> (/var/backups), so maybe no need to backup it again.
>
> hint: chflags nodump /etc/master.passwd
>
> -andrew
Thanks for your reply, Andrew.
Next to /etc/master.passwd, my greater point would be that the "run-length"
storage of dump, since the file is chmod 644, effectively renders all files
it backups world-readable as it passes them along for processing. At least
for the duration dump is running (assuming a backup-script would change
permissions directly thereafter).
There may be a lot more files one wishes not to be world-readable. :) And
excluding them all from the dump may not be the answer. Especially since it
would be very little trouble to adjust dump's code in such a way that it
writes chmod 600 to begin with.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301071835.H07IZMJ40741>