Re: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem
On Wed, Dec 06, 2006 at 06:26:31AM -0600, Josh Paetzel typed:
> On Wednesday 06 December 2006 04:07, Colin Percival wrote:
> > FreeBSD Security Advisories wrote:
> > > FreeBSD-SA-06:25.kmem
> > > Security Advisory The FreeBSD Project ...
> > > III. Impact
> > >
> > > A user in the "operator" group can read the contents of kernel
> > > memory. Such memory might contain sensitive information, such as
> > > portions of the file cache or terminal buffers. This information
> > > might be directly useful, or it might be leveraged to obtain
> > > elevated privileges in some way; for example, a terminal buffer
> > > might include a user-entered password.
> >
> > For what it's worth, there was a lot of debate about whether this
> > deserved an advisory: Members of the operator group are allowed (by
> > default, at least) to read raw disk devices, so being able to read
> > kernel memory really isn't very much of a privilege escalation. In
> > the end I decided to go ahead with this advisory largely because we
> > were already planning on issuing an advisory this week (for a far
> > more serious issue in GNU tar), but if a similar issue arises next
> > month, we might decide not to bother with an advisory.
> >
> > I'd be interested to hear opinions from the FreeBSD community about
> > whether this sort of issue is one which anyone really cares about.
> >
> > Colin Percival
> > FreeBSD Security Officer
>
> Sure, and if you can read raw disk devices you can
> read /etc/master.passwd and /etc/group....and if you can do that then
> it's trivial to break the passwords you need to su to someone in
> wheel and then su to root.
>
> I guess my point is someone in the operator group has a far easier way
> to gain root than this vuln.
True, but only in the default configuration. The reading of raw disk
devices really is controlled by filesystem privileges:
# ls -l /dev/ad4
crw-r----- 1 root operator 0, 84 Dec 6 08:50 /dev/ad4
So you could for example remove the read bit for operators on some devices,
while still allowing them to dump/backup some other specific devices.
This isn't the case for kmem:
# ls -l /dev/kmem
crw-r----- 1 root kmem 0, 25 Dec 6 08:50 /dev/kmem
In my opinion that makes this a bug and a security issue.
Ruben de Groot
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 4 之 10 篇):