From owner-freebsd-bugs Mon May 1 17:10:52 1995 Return-Path: bugs-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id RAA11834 for bugs-outgoing; Mon, 1 May 1995 17:10:52 -0700 Received: from mail.barrnet.net (mail.BARRNET.NET [131.119.246.7]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id RAA11743 ; Mon, 1 May 1995 17:08:22 -0700 Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1]) by mail.barrnet.net (8.6.10/MAIL-RELAY-LEN) with SMTP id RAA03799; Mon, 1 May 1995 17:05:34 -0700 Received: from s1.elec.uq.oz.au by bunyip.cc.uq.oz.au with SMTP (PP); Tue, 2 May 1995 10:06:34 +1000 Received: from s4 (s4.elec.uq.oz.au) by s1.elec.uq.oz.au (4.0/SMI-4.0) id AA18803; Tue, 2 May 95 10:06:11 EST From: clary@elec.uq.oz.au (Clary Harridge) Message-Id: <9505020006.AA18803@s1.elec.uq.oz.au> Subject: Re: DISKLESS users become root To: freebsd-security@FreeBSD.org Date: Tue, 2 May 1995 10:05:27 +1000 (EST) Cc: freebsd-bugs@FreeBSD.org, marks@cheque1.cheque.uq.oz.au (Mark Schulz) In-Reply-To: <9504260509.AA15058@s1.elec.uq.oz.au> from "Clary Harridge" at Apr 26, 95 03:08:47 pm X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 2778 Sender: bugs-owner@FreeBSD.org Precedence: bulk > > Users on any DISKLESS client can become root during the boot sequence. > > I have diskless clients booting off a FreeBSD file server and find that > > Pressing CTRLC just after the last NFS mount and before the "autoreboot" This also happens with CTRL\ > message causes > > init: /bin/sh on /etc/rc terminated abnormally, going to single user mode > Enter pathname of shell or RETURN for sh: > > then > > RETURN gives a root shell. > > The state of the /etc/ttys file is not being checked for whether the > console is secure (or not) and the user is NOT prompted for a root > password. > The problem is that there is a time slot from the start of "init" until the "read_ttys" subroutine checks / sets the "[in]secure" mode. This time is probably small on a system with local disk and you probably need to be lucky to cause either a SIGINT (CTRLC) or SIGQUIT (CTRL|) at the right time. However on a diskless system the time slot is of the order of tens of seconds and you can easily become super user. The following patch will close this security hole. ================================================================ *** init.c Tue May 2 08:47:49 1995 --- init.c_orig Fri Apr 28 10:39:51 1995 *************** *** 178,186 **** sigset_t mask; - /* disable interrupts until /etc/ttys secure is checked */ - (void) signal(SIGINT, SIG_IGN); - (void) signal(SIGQUIT, SIG_IGN); /* Dispose of random users. */ if (getuid() != 0) { (void)fprintf(stderr, "init: %s\n", strerror(EPERM)); --- 178,183 ---- *************** *** 239,245 **** handle(badsys, SIGSYS, 0); handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGXCPU, SIGXFSZ, 0); ! handle(transition_handler, SIGHUP, SIGTERM, SIGTSTP, 0); handle(alrm_handler, SIGALRM, 0); sigfillset(&mask); delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS, --- 236,242 ---- handle(badsys, SIGSYS, 0); handle(disaster, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGXCPU, SIGXFSZ, 0); ! handle(transition_handler, SIGHUP, SIGINT, SIGTERM, SIGTSTP, 0); handle(alrm_handler, SIGALRM, 0); sigfillset(&mask); delset(&mask, SIGABRT, SIGFPE, SIGILL, SIGSEGV, SIGBUS, SIGSYS, ================================================================ This is not the whole answer if your ttys flag is secure as a call to handle(transition_handler, SIGINT, 0); should probably be done at some stage after or during "read_ttys" ? -- regards Dept. of Electrical Engineering, Clary Harridge University of Queensland, QLD, Australia, 4072 Phone: +61-7-365-3636 Fax: +61-7-365-4999 INTERNET: clary@elec.uq.oz.au