From owner-cvs-all@FreeBSD.ORG Sun Feb 22 21:26:40 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65AEB16A4CE; Sun, 22 Feb 2004 21:26:40 -0800 (PST) Received: from VARK.homeunix.com (adsl-68-122-0-124.dsl.pltn13.pacbell.net [68.122.0.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AE6143D1D; Sun, 22 Feb 2004 21:26:40 -0800 (PST) (envelope-from das@FreeBSD.ORG) Received: from VARK.homeunix.com (localhost [127.0.0.1]) by VARK.homeunix.com (8.12.11/8.12.10) with ESMTP id i1N5LBek058426; Sun, 22 Feb 2004 21:21:11 -0800 (PST) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by VARK.homeunix.com (8.12.11/8.12.10/Submit) id i1N5LArE058425; Sun, 22 Feb 2004 21:21:11 -0800 (PST) (envelope-from das@FreeBSD.ORG) Date: Sun, 22 Feb 2004 21:21:10 -0800 From: David Schultz To: kientzle@acm.org Message-ID: <20040223052110.GA58255@VARK.homeunix.com> Mail-Followup-To: kientzle@acm.org, Colin Percival , src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG References: <200402221003.i1MA3PW0024791@repoman.freebsd.org> <403944D8.6050107@kientzle.com> <20040223025647.GA43467@VARK.homeunix.com> <40397824.3080607@kientzle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40397824.3080607@kientzle.com> cc: cvs-src@FreeBSD.ORG cc: src-committers@FreeBSD.ORG cc: cvs-all@FreeBSD.ORG cc: Colin Percival Subject: Re: cvs commit: src/sbin/nologin Makefile nologin.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 05:26:40 -0000 On Sun, Feb 22, 2004, Tim Kientzle wrote: > David Schultz wrote: > >On Sun, Feb 22, 2004, Tim Kientzle wrote: > >>Colin Percival wrote: > >> > >>>Report login attempts to syslog. Due to the statically-linked nature of > >>>nologin(8) ... > >> > >>Why is nologin statically linked? > > > >Because of environment-poisoning attacks such as the following: > > > > das@VARK:~> setenv LD_LIBRARY_PATH /home/das/exploit > > das@VARK:~> \login -p test > > > >This attack was executed with a dynamically-linked /sbin/nologin > >and a special libc.so.5 in the /home/das/exploit directory that > >replaces the _exit() stub with a routine that spawns a shell. > > Hmmmm.... Several other solutions come immediately to mind: > * Handle this in pam (or even in login) > (Just check if the user's shell is /sbin/nologin and > reject the login if it is.) > * Install /sbin/nologin setuid nobody or setgid nogroup > That would disable LD_LIBRARY_PATH processing for it. > * Have login -p not pass LD_LIBRARY_PATH > > Of these, the first is arguably the best, the second easiest > to implement. The third I'm unsure about; I can't > really picture a scenario where login -p should pass > LD_LIBRARY_PATH, but that's hardly conclusive. > > I agree, by the way, that there should be a way to > "mark" a program as ignoring LD_LIBRARY_PATH at > compile-time (other than making it setuid/setgid). Your first and third proposals would add special cases, and it's hard to guarantee that you've covered all the cases. LD_PRELOAD comes to mind. The second proposal is a hack, but it seems to be a much better hack than the static linking one we have right now. Please go ahead and implement it if you're so inclined, or I can take a look at it in a few days. It should be a two-line change. One unfortunate side-effect of dynamically linking root (and /bin/sh in particular) that is still unsolved is that custom versions of nologin that people have written as shell scripts are now insecure. Effectively, 'sh -p' is no longer useful. On one of the systems I use, for instance, there's a shell script that prints an informative message for users whose accounts were closed due to abuse or expiration. Thus, it would be useful to ultimately have a more comprehensive solution.