cvs commit: src/sbin/nologin Makefile nologin.c

David Schultz das at FreeBSD.ORG
Sun Feb 22 21:26:40 PST 2004 

On Sun, Feb 22, 2004, Tim Kientzle wrote:
> David Schultz wrote:
> >On Sun, Feb 22, 2004, Tim Kientzle wrote:
> >>Colin Percival wrote:
> >>
> >>>Report login attempts to syslog.  Due to the statically-linked nature of
> >>>nologin(8) ...
> >>
> >>Why is nologin statically linked?
> >
> >Because of environment-poisoning attacks such as the following:
> >
> >	das at VARK:~> setenv LD_LIBRARY_PATH /home/das/exploit
> >	das at VARK:~> \login -p test
> >
> >This attack was executed with a dynamically-linked /sbin/nologin
> >and a special libc.so.5 in the /home/das/exploit directory that
> >replaces the _exit() stub with a routine that spawns a shell.
> 
> Hmmmm....  Several other solutions come immediately to mind:
>   * Handle this in pam (or even in login)
>     (Just check if the user's shell is /sbin/nologin and
>     reject the login if it is.)
>   * Install /sbin/nologin setuid nobody or setgid nogroup
>     That would disable LD_LIBRARY_PATH processing for it.
>   * Have login -p not pass LD_LIBRARY_PATH
> 
> Of these, the first is arguably the best, the second easiest
> to implement.  The third I'm unsure about; I can't
> really picture a scenario where login -p should pass
> LD_LIBRARY_PATH, but that's hardly conclusive.
> 
> I agree, by the way, that there should be a way to
> "mark" a program as ignoring LD_LIBRARY_PATH at
> compile-time (other than making it setuid/setgid).

Your first and third proposals would add special cases, and it's
hard to guarantee that you've covered all the cases.  LD_PRELOAD
comes to mind.  The second proposal is a hack, but it seems to be
a much better hack than the static linking one we have right now.
Please go ahead and implement it if you're so inclined, or I can
take a look at it in a few days.  It should be a two-line change.

One unfortunate side-effect of dynamically linking root (and
/bin/sh in particular) that is still unsolved is that custom
versions of nologin that people have written as shell scripts are
now insecure.  Effectively, 'sh -p' is no longer useful.  On one
of the systems I use, for instance, there's a shell script that
prints an informative message for users whose accounts were closed
due to abuse or expiration.  Thus, it would be useful to
ultimately have a more comprehensive solution.

More information about the cvs-all mailing list