Re: ~/.login_conf mechanism is flawed

On Tue, Aug 10, 2010 at 05:36:12PM +0200, Dag-Erling Sm??rgrav wrote:

> >  41513 ftpd     CALL  seteuid(0xbb8)
> >  41513 ftpd     RET   seteuid 0
> >  41513 ftpd     NAMI  "/home/venglin/.login_conf"
> >  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
> >  41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
> 
> login_getclassbyname() temporarily drops privs while reading the user's
> .login_conf, because the user's ~ may be on (for instance) an NFS mount
> with -maproot=nobody.
> 
> Janne's mistake is to assume that reading == processing.
> 
> However, he is correct in that in the event of an exploitable code
> injection vulnerability in the code that *reads* the file, the injected
> code can easily reacquire root privs.
> 
> There is a different issue documented in PR bin/141840 which results in
> the user's resource limits being processed *with* root privs in certain
> circumstances.  It so happens that in FreeBSD, those circumstances only
> arise in OpenSSH.  This does not mean that the bug is in OpenSSH; it's
> in setusercontext(3), which makes unwarranted assumptions about how it
> is being called.
> 
> Unfortunately, that PR arrived at a time when so@ was busy with far more
> important issues, and it fell through the cracks.
> 
> The good news is that the the only settings that can be overridden in
> this manner are resource limits and the CPU mask.

There is another issue in stock ftpd and usercontext,
see PR http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/143570
which contains trivial patch.

Eugene Grosbein
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"