Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Aug 2002 21:34:48 +0200
From:      Radko Keves <rado@studnet.sk>
To:        freebsd-security@freebsd.org
Cc:        freebsd-current@freebsd.org
Subject:   possieble bug in chsh chfn
Message-ID:  <20020801193448.GA4806@studnet.sk>
next in thread | raw e-mail | index | archive | help 
Desription:

unauthorized write access to /etc directory using chfn/chsh commands in FreeBSD 5.0-CURRENT.


Contributing factors:

In FreeBSD 5.0, it is possible to fill up the whole partition by using chfn/chsh commands. Normally, users have quotas set up on directories that are allowed to be written for them, e.g. home directory, /tmp, /var/tmp, etc.

Let's say, a user has quotas set up this way:

% quota -u rado
Disk quotas for user rado (uid 1001):
     Filesystem   usage   quota   limit   grace   files   quota   limit   grace
          /home   66760  500000  550000            3481       0       0
           /tmp  135193  260000  280000            5417       0       0
           ...

There's normally no need to set up quotas for other partitions (such as /, /usr, ...) because ordinary users have no permissions to write/change the files in that directories, e.g. in / or /etc.


Symptoms:

Our experience with the chsh/chfn commands shows that when a user changes his/her finger information/shell, these commands invoke vi editor with a temporary file stored in /tmp. Imagine that a user's quota exceeded his/her limit for /tmp. Our ordinary user did this by filling up /tmp partition with many large files. chfn/chsh commands then stored their temporary files in /etc directory with given user's permissions, e.g.:

% id happy
uid=2006(happy) gid=58(st1999) groups=58(st1999)

% quota -u happy
 ...
 /tmp   21995*  20000   22000   7days       6       0       0
 ...
(We can see that the disk quota exceeded in /tmp for user happy)

% ls -ld /etc
drwxr-xr-x  20 root  wheel  22016 Aug  1 19:22 /etc

% ls -l /etc | grep happy
-rw-------   1 happy  st1999    157278362 Aug  1 19:19 pw.BEMwxq
-rw-------   1 happy  st1999          154 Aug  1 19:22 pw.KxGCF3
-rw-------   1 happy  st1999    157278362 Aug  1 19:19 pw.iW7Pmt
-rw-------   1 happy  st1999    157278362 Aug  1 19:20 pw.rhJq0s
-rw-------   1 happy  st1999    157278374 Aug  1 19:16 pw.tpPLK4

Now it is possible for such a user to fill up the root partition without having a permission set on /, e.g. with

% cat /dev/zero >> /etc/pw.KxGCF3


Workaround:

Our workaround is to either set up a quotas for a root partition or disable chsh/chfn commands.


Important Notices:

1. chpass, ypchpass, ypchfn, and ypchsh commands seem to be also affected by the symptoms described above because they are just hard links... :)
2. When experimenting with a chpass command, it caused a segmentation fault when used with -a argument because of a NULL pointer comparation in chpass.c, line 169: 

(no getpw* (3) library call invoked!!!)
if ((pw->pw_fields & _PWF_SOURCE) == _PWF_NIS)

% id happy
uid=2006(happy) gid=58(st1999) groups=58(st1999)

% chpass -a qqqqq
Segmentation fault

chpass doesn't seem to be locally exploitable. Some changes to a source code are needed for normal operation.


Credits:

pali@unitra.sk
happy@unitra.sk
rado@studnet.sk


-- 
--------------
bye
R.R.K.K.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020801193448.GA4806>