[Bug 216014] /etc/shells security vagueness affecting ports

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jan 13 07:13:46 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216014

            Bug ID: 216014
           Summary: /etc/shells security vagueness affecting ports
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: freebsd at phil.spodhuis.org

The shells(5) manpage describes /etc/shells as "a list of the shells on the
system".

The top of /usr/src/etc/shells documents the historical meaning:

    # List of acceptable shells for chpass(1).
    # Ftpd will not allow users to connect who are not using
    # one of these shells.

My recollection is that 20 years ago, it was considered a security flaw for
/etc/shells to list an untrusted shell, as the whole point was to define "if a
user has one of these shells, then they're trusted for local system access".

Indeed, /usr/bin/chpass is setuid-root and uses "ok_shell()" to enforce exactly
this behavior; so if arbitrary code can be gotten running as uid N, it can
invoke chpass to change shell to any shell listed in /etc/shells, as long as
the current shell is listed in that file too.  Thus providing a privilege
escalation attack.

Yet the standard behavior of Ports is to add _all_ shells, including restricted
shells, to /etc/shells.

    grep '^@shell' /usr/ports/shells/*/pkg-plist

rbash, rzsh, scponly; also devel/git adds libexec/git-core/git-shell too.

Users with any of those should _not_ be able to change their shell.  The only
reason I can think of to add these shells to /etc/shells is some gateway
software deciding to only allow access if the shell is listed and so rejecting
restricted shells ... which is a bug.

So either the description in /usr/src/etc/shells is wrong and chpass is a
security hole, or the man-page shells(5) is wrong and has led to many Ports
being configured to introduce security holes when installed.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list