From owner-freebsd-security Thu Oct 26 08:53:00 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id IAA10970 for security-outgoing; Thu, 26 Oct 1995 08:53:00 -0700 Received: from racer.dkrz.de (racer.dkrz.de [136.172.110.55]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA10955 for ; Thu, 26 Oct 1995 08:52:54 -0700 Received: from madonna.dkrz.de.dkrz.de (madonna.dkrz.de [136.172.110.69]) by racer.dkrz.de (8.7.1/8.7.1) with SMTP id QAA16944; Thu, 26 Oct 1995 16:50:40 +0100 (MET) Date: Thu, 26 Oct 1995 16:50:40 +0100 (MET) From: "Georg-W. Koltermann" Message-Id: <199510261550.QAA16944@racer.dkrz.de> Received: by madonna.dkrz.de.dkrz.de (4.1/SMI-4.1) id AA04333; Thu, 26 Oct 95 16:51:22 +0100 To: davidg@Root.COM Cc: phk@critter.tfs.com, dab@berserkly.cray.com, hartmans@mit.edu, security@freebsd.org In-Reply-To: <199510261200.FAA00275@corbin.Root.COM> (message from David Greenman on Thu, 26 Oct 1995 05:00:19 -0700) Subject: Re: telnetd fix Reply-To: gwk@cray.com Sender: owner-security@freebsd.org Precedence: bulk > > >> > At the moment, I'm seriously considering adding a switch to shut off the > >> > feature in FreeBSD's telnetd and making it the default in inetd.conf. > >> > >> YES! > >> > >> -- > >> Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. > > > >NO! > > > >I'd rather like to see a statically linked login, which would plug the > >hole without any side-effects. > > Have people not been listening? The problem I keep bringing up has to do > with environment variables used in libc. Building login static doesn't affect > this. My original message is attached. > > -DG > > To: dab@cray.com > cc: security@freebsd.org, hartmans@mit.edu > Subject: telnetd fix > From: David Greenman > Reply-To: davidg@Root.COM > -------- > Dave - > > Hi; I've been thinking about the telnetd security patch that was recently > sent out. I've been watching the list of "vulnerable" environment variables > grow daily...I really think that excluding certain environment variables is the > wrong approach to solving the problem. I think it is is much wiser to do an > inclusive test rather than an exclusive one - in other words, only allow > setting specific environment variables such as DISPLAY and TERM (perhaps those > two comprise a complete list - I can't think of any legitimate others). The > reasoning is simple: while you may catch the current set of environment > variables related to shared library spoofing, a quick search through _just_ > libc in FreeBSD reveals yet another list of worries: > > HOME > TZNAME > TZ > LANG > TMPDIR > NLSPATH > RES_OPTIONS > HOSTALIASES > LOCALDOMAIN > PATH_LOCALE David, [[ well, maybe I was not listening close enough, I will not deny that I am unable to read every line of every mail carefully when I receive so many of them every day.]] In my opinion these other environment variables *should not* be a problem. Or at least not a problem that can be fixed in telnetd. A program that runs with root priviledges on behalf of a user *has to* take special precaution that it is side-effect free. For example, it must not use $PATH, nor $HOME without checking carefully if these are trouble-free. It must not use any inherited environment variable as part of the name of a file that it writes without similar security measures. Of course the same care has to be applied with regard to any library routine that is called which in turn can use environment variables. After all nothing prevents any user from setting up a malicious environment and then typing /usr/bin/login! I believe these issues are understood and taken care of by people who write these kinds of programs. On the other hand, no programmer can safeguard against linking in code from a bad dynamic library long after he has finished his program. So extra steps must be taken that a program with root priviledges actually uses only the code that the programmer wanted. One approach is having ld.so effectively ignore environment variables like $LD_LIBRARY_PATH. The SUNOS man page for ld.so says, e. g.: NOTE: when running a set-user- or set-group-ID program, ld.so will only search for libraries in directories it "trusts", which are /usr/lib, /usr/5lib, /usr/local/lib, and any directories specified within the executable as a result of -L options given when the executable was constructed. A previous mail from Sam Hartman included a more detailed explanation (maybe that part was contributed by Theodore Ts'o): Most runtime linkers treat set user-id and set group-id programs specially: for these programs the environment variables are ignored when the program is run by a user other than the owner of the file, or by someone in a group other than the primary group of the file. Even though login is often set user-id, the environment variables are used because it is run by telnetd which runs as root. So it seems the action taken in ld.so is only effective if login gets called by a logged-in user, and not when it gets started by telnetd or any other root-process (xdm? rlogind? you-name-it-d?). The next logical step would be to avoid dynamic linking altogether for the login program. This has been proposed by someone else before (I don't recall his name), and I brought it up again in my previous mail. There remains an issue with static linking. Sometimes library writers invent new features. Functions which previously were simple and safe later become feature-full and tailorable by environment variables. E. g. some versions of tmpfile(3) obey $TMPDIR if set, while older versions use the hard-coded P_tmpdir from for the directory where the file is created. This way a program which was believed-safe may become unsafe just by relinking with a newer version of a library routine. This is in no way restricted to dynamic linking, it can happen just as well with static linking at compile time. The *only* protection here is, IMHO, to have the program *itself* clear out the environment at startup time. One can *not* depend on the caller (which happens to be telnetd here) to do this, because in almost every case the caller could just as well be a shell operated by a malicious user. $DISCLAIMER (you know what I mean) Georg-W. Koltermann, gwk@cray.com