security or lack thereof
John Nemeth
jnemeth at victoria.tc.ca
Tue Mar 22 19:04:31 PST 2005
So, is it FreeBSD policy to ignore security bug reports? I sent
the following bug report to security at freebsd.org on Feb. 19th, 2005 and
it still hasn't been acted on. This total lack of action on an
extremely simple (and silly) three year old bug doesn't give one the
warm fuzzies. Heck, it took 48 hours to get a response from a security
officer, and another 24 hours to get something from the guilty
developer.
From: jnemeth at vtn1 (John Nemeth)
Date: Sat, 19 Feb 2005 21:46:42 -0800
To: security at freebsd.org
Subject: rexecd root lockout
I'm working on converting NetBSD's rexecd to use PAM and I was
looking at FreeBSD's rexecd for ideas. In the process I noticed that
FreeBSD's version of rexecd is supposed to disallow its use by uid 0.
However, there is a bug in the PAM conversion of FreeBSD's rexecd.c
that disables that feature. The change was made in revision 1.29 of
rexecd on May 2, 2002. The problem is around line 192 and exists in
the latest version. As far as I can tell the problem affects all
FreeBSD 5.x releases. The problem is that the following line:
if ((pwd->pw_uid == 0 && no_uid_0) || *pwd->pw_passwd == '\0' ||
was changed to:
if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid = 0 && no_uid_0) ||
Note that the second version assigns 0 to pwd->pw_uid instead of
comparing it thus forcing the uid 0 test to always fail. The fix is to
change the second line to:
if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid == 0 && no_uid_0) ||
Note that I haven't tested any of this and found it by reading the
code. The fix is also untested, but given the simplicity it should be
fine.
More information about the freebsd-hackers
mailing list