~/.login_conf mechanism is flawed
Eugene Grosbein
eugen at eg.sd.rdtc.ru
Tue Aug 10 18:13:39 UTC 2010
On Tue, Aug 10, 2010 at 05:36:12PM +0200, Dag-Erling Sm??rgrav wrote:
> > 41513 ftpd CALL seteuid(0xbb8)
> > 41513 ftpd RET seteuid 0
> > 41513 ftpd NAMI "/home/venglin/.login_conf"
> > 41513 ftpd NAMI "/home/venglin/.login_conf.db"
> > 41513 ftpd NAMI "/home/venglin/.login_conf.db"
>
> login_getclassbyname() temporarily drops privs while reading the user's
> .login_conf, because the user's ~ may be on (for instance) an NFS mount
> with -maproot=nobody.
>
> Janne's mistake is to assume that reading == processing.
>
> However, he is correct in that in the event of an exploitable code
> injection vulnerability in the code that *reads* the file, the injected
> code can easily reacquire root privs.
>
> There is a different issue documented in PR bin/141840 which results in
> the user's resource limits being processed *with* root privs in certain
> circumstances. It so happens that in FreeBSD, those circumstances only
> arise in OpenSSH. This does not mean that the bug is in OpenSSH; it's
> in setusercontext(3), which makes unwarranted assumptions about how it
> is being called.
>
> Unfortunately, that PR arrived at a time when so@ was busy with far more
> important issues, and it fell through the cracks.
>
> The good news is that the the only settings that can be overridden in
> this manner are resource limits and the CPU mask.
There is another issue in stock ftpd and usercontext,
see PR http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/143570
which contains trivial patch.
Eugene Grosbein
More information about the freebsd-security
mailing list