this are not release critical, or a security hole

To: control@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: this are not release critical, or a security hole
From: Joey Hess <joey@kitenet.net>
Date: Thu, 23 Jul 1998 11:37:21 -0700
Message-id: <[🔎] 19980723113721.L361@kitenet.net>
Mail-followup-to: control@bugs.debian.org, debian-devel@lists.debian.org

severity 24905 normal
thanks

This is not a critical bug report. In fact, I disagree it is a bug at all.

> cfingerd version 1.3.2 runs all external executables and
> scripts with root privileges.  This includes fake user
> scripts, user invoked scripts and all helper applications.

> This is likely to open up all kinds of security holes
> because these scripts were never written to be run
> as suid root.

> The bug has been confirmed through source code review and
> testing on a single machine.  Independent confirmation should
> be obtained just in case I am mistaken anyway.

I fail to understand how you have "confirmed" a bug which is only "likely"
to exist. Anyway, debian cfingerd ships with _no_ fake user scripts
enabled, so this is _not_ a security hole present in the debian package.

joey@kite:/tmp/cfingerd-1.3.2/scripts>dpkg -L cfingerd |grep /etc
/etc
/etc/cfingerd
/etc/cfingerd/scripts
/etc/cfingerd/top_finger.txt
/etc/cfingerd/bottom_finger.txt
/etc/cfingerd/noname_banner.txt
/etc/cfingerd/nouser_banner.txt
/etc/cfingerd/rejected_banner.txt
/etc/cfingerd/cfingerd.conf
/etc/cron.weekly
/etc/cron.weekly/cfingerd

Look ma, no scripts!

> For more information, please read privs.h in the cfingerd
> source and understand, that as long as cfingerd can issue
> a sequence of system calls to regain root privileges, so
> can any script invoked from cfingerd, as well as any
> code a hacker may fool cfingerd into executing (e.g. by
> means of a buffer overrun).

I'm sorry, but this is flat out, 100% _wrong_. After an exec() system call,
the saved uid is lost. Therefore, a child program cannot use it to regain
suid root permissions.

W. Richard Stevens, Advanced Programming in the Unix
Environment, page 213: "The saved set-user-ID is copied from the
effective user ID by exec."

> Luckily most, but not all external scripts have been disabled
> in the default Debian configuration.  One of the remaining
> scripts is a pipe invoked when fingering userlist-only@hostname.

> As a simple test, enable a fakeuser and modify the script to look
> like this:

> #!/bin/bash
> echo ${UID} ${EUID}

> Then finger the fakeuser and notice that the output looks like
> this:

> 0 0

> meaning root root!

So what? You were root. You edited /etc/cfingerd/cfingerd.conf. You told it
to run this program. Only root may do this. The fact that the program runs
as root is not a security hole, because only root can set it up to run this
way.

> I am now using Debian 2.0 kernel 2.0.33 (compiled by me) libc-2.0.7.
> I am not currently running cfingerd, but am keeping a copy in
> non-executable form.

> -- 
> This message is hastily written, please ignore any unpleasant wordings,
> do not consider it a binding commitment, even if its phrasing may
> indicate so. Its contents may be deliberately or accidentally untrue.
> Trademarks and other things belong to their owners, if any.

-- 
see shy jo


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: RE: Good PR
Next by Date: Status of KDE/Qt - interim decision
Previous by thread: Re: Special distribution: sid
Next by thread: Bug#24930: samba: samba needs to suggest psmisc? (fwd)
Index(es):
- Date
- Thread