From owner-freebsd-security Fri Jan 18 5:57:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9305E37B41C; Fri, 18 Jan 2002 05:56:43 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g0IDuh995329; Fri, 18 Jan 2002 05:56:43 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 18 Jan 2002 05:56:43 -0800 (PST) Message-Id: <200201181356.g0IDuh995329@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:07.k5su Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:07 Security Advisory FreeBSD, Inc. Topic: Kerberos 5 su command uses getlogin for authorization Category: krb5, ports Module: crypto/heimdal/appl/su, heimdal Announced: 2002-01-18 Credits: Aaron Affects: FreeBSD 4.4-RELEASE FreeBSD 4.4-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2002-01-15 21:52:48 UTC (RELENG_4) 2002-01-17 15:45:05 UTC (RELENG_4_4) 2002-10-31 19:58:05 UTC (heimdal port) FreeBSD only: NO I. Background The getlogin and setlogin system calls are used to manage the user name associated with a login session. k5su is a Kerberos 5-enabled su program. Like su, it allows authorized users to `switch user' in order to obtain additional privileges. II. Problem Description The setlogin system call, the use of which is restricted to the superuser, is used to associate a user name with a login session. The getlogin system call is used to retrieve that user name. The setlogin system call is typically used by applications such as login and sshd. The k5su command included with FreeBSD, versions prior to 4.5-RELEASE, and the su command included in the heimdal port, versions prior to heimdal-0.4e_2, use the getlogin system call in order to determine whether the currently logged-in user is `root'. In some circumstances, it is possible for a non-privileged process to have `root' as the login name returned by getlogin. The `k5su' command may be installed as part of FreeBSD when Kerberos 5 support is requested, or it may be installed from the FreeBSD Ports Collection (ports/security/heimdal), in which case it is installed simply as `su'. The Heimdal port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact In some circumstances, process that have been started by root but have given up superuser privileges may be able to invoke `k5su' to regain superuser privileges. IV. Workaround Commands to be executed as root are signified by lines starting with the `#' character. [Kerberos 5 in the base system] Remove the set-user-ID bit from the `k5su' executable by running the following command as root: # chmod u-s /usr/bin/k5su [Heimdal port] Remove the set-user-ID bit from the `su' executable by running the following command as root: # chmod u-s /usr/local/bin/su V. Solution [Kerberos 5 in the base system] NOTE: If the file /usr/bin/k5su does not exist on your system, Kerberos 5 is not installed and you do not need to take any action. Do one of the following: 1) Upgrade your system to 4.4-STABLE or the RELENG_4_4 security branch, dated after the respective correction dates. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4-RELEASE and 4.4-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/k5su.patch # cd /usr/src/kerberos5/lib # env MAKE_KERBEROS5=yes make depend # env MAKE_KERBEROS5=yes make all install # cd /usr/src/kerberos5/usr.bin/k5su # env MAKE_KERBEROS5=yes make depend # env MAKE_KERBEROS5=yes make all install [Heimdal port] Do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/heimdal-0.4e_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/heimdal-0.4e_2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the heimdal port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. [Kerberos 5 in the base system] Path Revision Branch - ------------------------------------------------------------------------- src/crypto/heimdal/appl/su/su.c HEAD 1.1.1.4 RELENG_4 1.1.1.1.2.2 RELENG_4_4 1.1.1.1.2.1.4.1 RELENG_4_3 1.1.1.1.2.1.2.1 - ------------------------------------------------------------------------- [Heimdal port] Path Revision - ------------------------------------------------------------------------- ports/security/heimdal/Makefile 1.46 ports/security/heimdal/patch-appl::su::su.c 1.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPEgo31UuHi5z0oilAQGegQP/U3IsWQ75B/VqWU7/V5i4O9yDfQBzj/jZ iZXXvzMQVHZmgMnBo015UCZGqKci4fXw4+TY1YNcqdLln43hJg3TizJuhLFUOwge e8JN52w9gMknKDmpTTJAsW94FwOy/YwTn36Xlxzd4juiRlLm4F0Jmz37gCnfG7vB WSvAJjOX77I= =+CLY -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message