[Bug 216014] /etc/shells security vagueness affecting ports
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jan 13 07:13:46 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216014
Bug ID: 216014
Summary: /etc/shells security vagueness affecting ports
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: misc
Assignee: freebsd-bugs at FreeBSD.org
Reporter: freebsd at phil.spodhuis.org
The shells(5) manpage describes /etc/shells as "a list of the shells on the
system".
The top of /usr/src/etc/shells documents the historical meaning:
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.
My recollection is that 20 years ago, it was considered a security flaw for
/etc/shells to list an untrusted shell, as the whole point was to define "if a
user has one of these shells, then they're trusted for local system access".
Indeed, /usr/bin/chpass is setuid-root and uses "ok_shell()" to enforce exactly
this behavior; so if arbitrary code can be gotten running as uid N, it can
invoke chpass to change shell to any shell listed in /etc/shells, as long as
the current shell is listed in that file too. Thus providing a privilege
escalation attack.
Yet the standard behavior of Ports is to add _all_ shells, including restricted
shells, to /etc/shells.
grep '^@shell' /usr/ports/shells/*/pkg-plist
rbash, rzsh, scponly; also devel/git adds libexec/git-core/git-shell too.
Users with any of those should _not_ be able to change their shell. The only
reason I can think of to add these shells to /etc/shells is some gateway
software deciding to only allow access if the shell is listed and so rejecting
restricted shells ... which is a bug.
So either the description in /usr/src/etc/shells is wrong and chpass is a
security hole, or the man-page shells(5) is wrong and has led to many Ports
being configured to introduce security holes when installed.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list