~/.login_conf mechanism is flawed
Dag-Erling Smørgrav
des at des.no
Tue Aug 10 15:36:14 UTC 2010
Przemyslaw Frasunek <przemyslaw at frasunek.com> writes:
> 41513 ftpd CALL seteuid(0xbb8)
> 41513 ftpd RET seteuid 0
> 41513 ftpd NAMI "/home/venglin/.login_conf"
> 41513 ftpd NAMI "/home/venglin/.login_conf.db"
> 41513 ftpd NAMI "/home/venglin/.login_conf.db"
login_getclassbyname() temporarily drops privs while reading the user's
.login_conf, because the user's ~ may be on (for instance) an NFS mount
with -maproot=nobody.
Janne's mistake is to assume that reading == processing.
However, he is correct in that in the event of an exploitable code
injection vulnerability in the code that *reads* the file, the injected
code can easily reacquire root privs.
There is a different issue documented in PR bin/141840 which results in
the user's resource limits being processed *with* root privs in certain
circumstances. It so happens that in FreeBSD, those circumstances only
arise in OpenSSH. This does not mean that the bug is in OpenSSH; it's
in setusercontext(3), which makes unwarranted assumptions about how it
is being called.
Unfortunately, that PR arrived at a time when so@ was busy with far more
important issues, and it fell through the cracks.
The good news is that the the only settings that can be overridden in
this manner are resource limits and the CPU mask.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list