Serious security problem! [Was: base system on boot floppies 2.2.3 broken]
On Fri Dec 31, 1999 at 09:13:14AM -0700, Randolph Chung wrote:
> > 2) any file or directory that has a symlink associated with it has
> > permissions of 777 this includes much of the libc, /sbin/init
> > /usr/sbin/adduser, and many many many more. also most of
> > /usr/share/doc had mode 777.
Verified. Sigh. This is a release critical security problem
that leaves libc (and everything else pointed to by a symlink
in the base system) vulnerable after a fresh install.
[andersen@slag /tmp]$ ls -la bar/lib/libc*
-rwxrwxrwx 1 root root 885048 Dec 31 12:11 bar/lib/libc-2.1.2.so*
lrwxrwxrwx 1 root root 13 Jan 1 12:35 bar/lib/libc.so.6 -> libc-2.1.2.so*
lrwxrwxrwx 1 root root 17 Jan 1 12:35 bar/lib/libcom_err.so.2 -> libcom_err.so.2.0*
-rwxrwxrwx 1 root root 5244 Dec 31 12:10 bar/lib/libcom_err.so.2.0*
-rwxrwxrwx 1 root root 19536 Dec 31 12:11 bar/lib/libcrypt-2.1.2.so*
lrwxrwxrwx 1 root root 17 Jan 1 12:35 bar/lib/libcrypt.so.1 -> libcrypt-2.1.2.so*
[andersen@slag /tmp]$ ls -la baz/lib/libc*
-rwxr-xr-x 1 root root 885048 Dec 26 11:43 baz/lib/libc-2.1.2.so*
lrwxrwxrwx 1 root root 13 Jan 1 11:40 baz/lib/libc.so.6 -> libc-2.1.2.so*
lrwxrwxrwx 1 root root 17 Jan 1 11:40 baz/lib/libcom_err.so.2 -> libcom_err.so.2.0
-rw-r--r-- 1 root root 5244 Nov 12 13:43 baz/lib/libcom_err.so.2.0
-rw-r--r-- 1 root root 19536 Dec 26 11:43 baz/lib/libcrypt-2.1.2.so
lrwxrwxrwx 1 root root 17 Jan 1 11:40 baz/lib/libcrypt.so.1 -> libcrypt-2.1.2.so
This one is bad, bad, bad. Mea culpa I'm afraid. :-(
I'll have a fix for this checked into CVS in about an hour.
I recommend we make a new release of boot-floppies as soon
as this fix goes in, and make some kind of announcement so
that anybody that has installed from the boot floppies so far
knows how absolutely broken their system is.
> > 3) most of /dev/* has wrong owners/permissions, i just rm -rf ed it
> > and grabbed a properly extracted version from base2_2.tgz
I fixed this one this last week.
> Not sure about these two, can someone verify this?
Also it looks like I am not restoring mtimes. I'm fixing
that one as well. As soon as I get these fixes in, I want
everybody to take a careful look at busybox tar, ok?
I'm testing it now by:
cp base2_2.tgz /tmp
<path_to_busybox>/busybox zcat ../base2_2.tgz | <path_to_busybox>/busybox tar -xf -
tar -xzf ../base2_2.tgz
and then comparing files from foo and bar.
Erik B. Andersen Web: http://www.xmission.com/~andersen/
--This message was written using 73% post-consumer electrons--