From owner-freebsd-hackers@FreeBSD.ORG Wed Mar 23 03:04:31 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C09C516A4CE for ; Wed, 23 Mar 2005 03:04:31 +0000 (GMT) Received: from vtn1.victoria.tc.ca (vtn1.victoria.tc.ca [199.60.222.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07C1C43D5E for ; Wed, 23 Mar 2005 03:04:31 +0000 (GMT) (envelope-from jnemeth@vtn1.victoria.tc.ca) Received: from vtn1.victoria.tc.ca (jnemeth@localhost [127.0.0.1]) by vtn1.victoria.tc.ca (8.13.2/8.13.1) with ESMTP id j2N34RbG020361 for ; Tue, 22 Mar 2005 19:04:28 -0800 (PST) Received: (from jnemeth@localhost) by vtn1.victoria.tc.ca (8.13.2/8.12.3/Submit) id j2N34R97020359 for freebsd-hackers@freebsd.org; Tue, 22 Mar 2005 19:04:27 -0800 (PST) Message-Id: <200503230304.j2N34R97020359@vtn1.victoria.tc.ca> From: jnemeth@victoria.tc.ca (John Nemeth) Date: Tue, 22 Mar 2005 19:04:27 -0800 X-Mailer: Mail User's Shell (7.2.5 10/14/92) To: freebsd-hackers@freebsd.org X-Scanned-By: MIMEDefang 2.51 on 199.60.222.3 X-Mailman-Approved-At: Wed, 23 Mar 2005 13:25:16 +0000 Subject: security or lack thereof X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2005 03:04:31 -0000 So, is it FreeBSD policy to ignore security bug reports? I sent the following bug report to security@freebsd.org on Feb. 19th, 2005 and it still hasn't been acted on. This total lack of action on an extremely simple (and silly) three year old bug doesn't give one the warm fuzzies. Heck, it took 48 hours to get a response from a security officer, and another 24 hours to get something from the guilty developer. From: jnemeth@vtn1 (John Nemeth) Date: Sat, 19 Feb 2005 21:46:42 -0800 To: security@freebsd.org Subject: rexecd root lockout I'm working on converting NetBSD's rexecd to use PAM and I was looking at FreeBSD's rexecd for ideas. In the process I noticed that FreeBSD's version of rexecd is supposed to disallow its use by uid 0. However, there is a bug in the PAM conversion of FreeBSD's rexecd.c that disables that feature. The change was made in revision 1.29 of rexecd on May 2, 2002. The problem is around line 192 and exists in the latest version. As far as I can tell the problem affects all FreeBSD 5.x releases. The problem is that the following line: if ((pwd->pw_uid == 0 && no_uid_0) || *pwd->pw_passwd == '\0' || was changed to: if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid = 0 && no_uid_0) || Note that the second version assigns 0 to pwd->pw_uid instead of comparing it thus forcing the uid 0 test to always fail. The fix is to change the second line to: if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid == 0 && no_uid_0) || Note that I haven't tested any of this and found it by reading the code. The fix is also untested, but given the simplicity it should be fine.