[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Serious security problem! [Was: base system on boot floppies 2.2.3 broken]

On Fri Dec 31, 1999 at 09:13:14AM -0700, Randolph Chung wrote:
> > 2) any file or directory that has a symlink associated with it has 
> > permissions of 777 this includes much of the libc, /sbin/init 
> > /usr/sbin/adduser, and many many many more. also most of 
> > /usr/share/doc had mode 777.

Verified.  Sigh.  This is a release critical security problem
that leaves libc (and everything else pointed to by a symlink 
in the base system) vulnerable after a fresh install.

    [andersen@slag /tmp]$ ls -la bar/lib/libc*
    -rwxrwxrwx    1 root     root       885048 Dec 31 12:11 bar/lib/libc-2.1.2.so*
    lrwxrwxrwx    1 root     root           13 Jan  1 12:35 bar/lib/libc.so.6 -> libc-2.1.2.so*
    lrwxrwxrwx    1 root     root           17 Jan  1 12:35 bar/lib/libcom_err.so.2 -> libcom_err.so.2.0*
    -rwxrwxrwx    1 root     root         5244 Dec 31 12:10 bar/lib/libcom_err.so.2.0*
    -rwxrwxrwx    1 root     root        19536 Dec 31 12:11 bar/lib/libcrypt-2.1.2.so*
    lrwxrwxrwx    1 root     root           17 Jan  1 12:35 bar/lib/libcrypt.so.1 -> libcrypt-2.1.2.so*
    [andersen@slag /tmp]$ ls -la baz/lib/libc*
    -rwxr-xr-x    1 root     root       885048 Dec 26 11:43 baz/lib/libc-2.1.2.so*
    lrwxrwxrwx    1 root     root           13 Jan  1 11:40 baz/lib/libc.so.6 -> libc-2.1.2.so*
    lrwxrwxrwx    1 root     root           17 Jan  1 11:40 baz/lib/libcom_err.so.2 -> libcom_err.so.2.0
    -rw-r--r--    1 root     root         5244 Nov 12 13:43 baz/lib/libcom_err.so.2.0
    -rw-r--r--    1 root     root        19536 Dec 26 11:43 baz/lib/libcrypt-2.1.2.so
    lrwxrwxrwx    1 root     root           17 Jan  1 11:40 baz/lib/libcrypt.so.1 -> libcrypt-2.1.2.so

This one is bad, bad, bad.  Mea culpa I'm afraid. :-(
I'll have a fix for this checked into CVS in about an hour.

I recommend we make a new release of boot-floppies as soon 
as this fix goes in, and make some kind of announcement so
that anybody that has installed from the boot floppies so far
knows how absolutely broken their system is.  

> > 3) most of /dev/* has wrong owners/permissions, i just rm -rf ed it 
> > and grabbed a properly extracted version from base2_2.tgz

I fixed this one this last week.

> Not sure about these two, can someone verify this?

Also it looks like I am not restoring mtimes.  I'm fixing
that one as well.  As soon as I get these fixes in, I want
everybody to take a careful look at busybox tar, ok?

I'm testing it now by:
    cp base2_2.tgz /tmp
    mkdir foo
    cd foo
    <path_to_busybox>/busybox zcat ../base2_2.tgz | <path_to_busybox>/busybox tar -xf -
    cd ..
    mkdir bar
    cd bar
    tar -xzf ../base2_2.tgz

and then comparing files from foo and bar.


Erik B. Andersen   Web:    http://www.xmission.com/~andersen/ 
                   email:  andersee@debian.org
--This message was written using 73% post-consumer electrons--

Reply to: