lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031206182724.T66813@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Partial Solution to SUID Problems

On Sat, 6 Dec 2003, Paul Szabo wrote:

> Sorry, but I have a counter-example (and admit that I was bitten by it):
> pt_chown (or chgpt or slvmod or whatever). Some OSs use something like
> that to chown or chmod the pty they just allocated.

Oh, you mentioned pt_chown... let me crawl out of my cave for a second or
two, then.

I think that solutions like pt_chown introduce just as many problems as
they solve - you get bugs in pt_chown instead of bugs caused by
world-writable ttyXX. It is also just plain dangerous - system security
should not depend on having setuid flag on any program and fail silently
when the flag is gone - as it might get accidentally removed when
restoring from backup or upgrading the software, be intentionally removed
or disabled (nosuid), etc. As such, pt_chown is a great example when not
to use suid helpers.

A much better way to solve this problem would be to modify the kernel (or
install a module) to chown ttyXX to uid of the caller and chmod it
appropriately when you open ptyXX (which can be done only once, and is
performed prior to opening ttyXX, which must be not open already - per
pseudo-terminal semantics).

It pretty much fixes the problem and allows screen, mc and many other
programs to run flawlessly with no setuid helpers without causing any
impact on other functionality.

Linux also took a fairly good approach with the /dev/pts filesystem, but
it is a major change that required many programs to be modified (so does
pt_chown, though) - and is also more risky, I imagine.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-06 18:27 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ