Re: ~/.login_conf mechanism is flawed

Przemyslaw Frasunek <przemyslaw@frasunek.com> writes:
>  41513 ftpd     CALL  seteuid(0xbb8)
>  41513 ftpd     RET   seteuid 0
>  41513 ftpd     NAMI  "/home/venglin/.login_conf"
>  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
>  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"

login_getclassbyname() temporarily drops privs while reading the user's
..login_conf, because the user's ~ may be on (for instance) an NFS mount
with -maproot=3Dnobody.

Janne's mistake is to assume that reading =3D=3D processing.

However, he is correct in that in the event of an exploitable code
injection vulnerability in the code that *reads* the file, the injected
code can easily reacquire root privs.

There is a different issue documented in PR bin/141840 which results in
the user's resource limits being processed *with* root privs in certain
circumstances.  It so happens that in FreeBSD, those circumstances only
arise in OpenSSH.  This does not mean that the bug is in OpenSSH; it's
in setusercontext(3), which makes unwarranted assumptions about how it
is being called.

Unfortunately, that PR arrived at a time when so@ was busy with far more
important issues, and it fell through the cracks.

The good news is that the the only settings that can be overridden in
this manner are resource limits and the CPU mask.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"