Date: Wed, 24 Jul 2002 19:11:52 +0200 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: freebsd-hackers@freebsd.org Subject: What for we need set-uid-root on passwd/chpass/etc.?:) Message-ID: <20020724171152.GA91362@garage.freebsd.pl>
next in thread | raw e-mail | index | archive | help
Hello there... I hope nobody will kill me for this post. Here is my idea how to remove set-uid-root from aplications like passwd/chpass/chsh/chfn/etc. I think in this way we will be much more secure. http://garage.freebsd.pl/pwd_parser.tgz And now description (from README): I've create this parser, because I want to remove set-uid-root from following applications: /usr/bin/passwd /usr/bin/chpass /usr/bin/chfn /usr/bin/chsh [...] And pwd_parser is one, little set-uid-root for all of those applications. This is something like brigde between (now set-gid on "passwd" group) passwd/chpass/etc. and pwd_mkdb(8). Parser could only be run by "passwd" group members or root, so users can't run it directly. Thanks to many tests made by this stuff even if passwd/chpass/etc. is broken, an attacker could only modify his own "password" and "change" fields (optionaly "comment" and "shell"). He can't change his uid or root's password for example. Temp file created by user have only one line, line with info about him, no more all records from /etc/master.passwd file. Rest of records are taken directly from master.passwd by parser. All characters in user's line should be printable (isprint(3)). If user can change shell, parser will check if it is a valid shell (it should be in /etc/shells). Login and uid in user's temp file given to parser is compared with real uid of pwd_parser process. This is the best way to check if user don't want to modify different lines in password file or his uid in this file. Arguments for pwd_mkdb(8) are also precisely checked. Permissions and owner user and group of temp file are checked too. Parser's code is clean (wrote with style(9) standards) and very simple, so easy to audit, I think. Note that no tests are made if root runs passwd/chpass/etc and temp file is placed in /etc/ instead of /tmp/. Modified source files: /usr/src/usr.bin/chpass/Makefile /usr/src/usr.bin/chpass/pw_copy.c /usr/src/usr.bin/passwd/Makefile /usr/src/usr.sbin/pwd_mkdb/pwd_mkdb.c /usr/src/usr.sbin/vipw/pw_util.c And here You got modifications with files in system: -rw-r----- 1 root passwd [...] /etc/master.passwd -rw-r----- 1 root passwd [...] /etc/spwd.db -r-xr-sr-x 2 root passwd [...] /usr/bin/passwd -r-xr-sr-x 6 root passwd [...] /usr/bin/chsh -r-xr-sr-x 6 root passwd [...] /usr/bin/chpass -r-xr-sr-x 6 root passwd [...] /usr/bin/chfn -r-sr-x--- 1 root passwd [...] /usr/sbin/pwd_parser If passwd/chpass/etc. will be broken an attacker could only read /etc/master.passwd. If pwd_parser will be broken, then users can't run it directly so I think if he wnt to use it, it should be security hole in passwd/chpass too. I know that passwd/chpass are safe (no security holes for long time or never), but what You think about this solution? -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020724171152.GA91362>