Re: Security hole in dosemu package

To: debian-devel@lists.debian.org
Subject: Re: Security hole in dosemu package
From: Daniel Quinlan <quinlan@proton.pathname.com>
Date: Thu, 14 Nov 96 18:06 PST
Message-id: <m0vODg2-000SmHC@proton.pathname.com>
Reply-to: quinlan@pathname.com
In-reply-to: <Pine.LNX.3.95.961114152532.2808A-100000@waterf.org>
References: <m0vOB8E-000SmHC@proton.pathname.com> <Pine.LNX.3.95.961114152532.2808A-100000@waterf.org>

Christoph Lameter <clameter@waterf.org> writes:

> I think you misstated the issue. You are trying to parse a
> configuration file and you see the error messages of dosemu when
> parsing it.

That's the problem, not the issue.  The issue is that anyone on my
system can read files owned by anyone else.  Passwords, private email,
diaries, PGP private keys, anything.  Debian is installed on thousands
of systems and all of them are about as secure as MS-DOS if dosemu is
installed.

Anyway, here is my procedure for looking for likely vulnerable
programs.  I'll try to find another one this weekend for fun.

$ ls -alS /usr/bin | grep rws
-rwsr-xr-x   1 root     root       569576 Oct 24 00:05 dos
-rwsr-xr-x   1 man      root        66701 Jul  7 13:56 man
-rwsr-sr-x   1 root     mail        59385 Jan 18  1996 procmail
-rwsr-xr-x   1 man      root        52521 Jul  7 13:56 mandb
-rwsr-xr-x   1 root     root        46088 Oct 30 09:25 sudo
[...]

The `-F' option was merely the first bug I found.  Crackers often
break into systems by exploiting bugs, especially in large setuid root
programs such as sendmail, which has lots of people that continually
search for exploitable holes (they occasionally find one), and dos,
which is twice as large as sendmail and about 5% as debugged.

> Naturally that configuration file is read while dosemu still has not
> dropped its superuser priviledges. Get on the mailing list for
> dosemu and talk to the guys. This is really a non debian specific
> security hole in dosemu.

You could make the dosemu package more secure by removing
/etc/dosemu/users and repackaging dosemu.  It's Debian-specific enough
if it's a Debian package, especially one that is not in contrib.

> Is it compiled to use the "users" file at all? Last that I know was
> that RedHat had an older version of dosemu which might not support
> the /etc/dosemu.users file. But that was awhile ago.

Yes, it is.

-- 
Daniel Quinlan                  http://www.pathname.com/~quinlan
quinlan@pathname.com            quinlan@transmeta.com (at work)

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Security hole in setuid packages
  - From: Fabrizio Polacco <fpolacco@megabaud.fi>

References:
- Re: Security hole in dosemu package
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: Re: problem with bug and virtual packages
Next by Date: Packages with Critial Bugs
Previous by thread: Re: Security hole in dosemu package
Next by thread: Re: Security hole in setuid packages
Index(es):
- Date
- Thread