Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BoS: Re: XFree86 3.1.2 Security Problems

From: papowell () sdsu edu (Patrick Powell)
Date: Tue, 30 Jan 1996 06:43:42 -0800

Folks,  I went through exactly the same thing when I developed the LPRng
print spooler package.  The solution that I used for the problem was as
follows:

1.  In the startup code,  use seteuid()/setreud() to set
    EUID to something banal such as daemon, and RUID to root.
    (you might want to save the original RUID for permissions checking).

2.  Do all operations EXCEPT socket() and bind() calls as EUID daemon.
    It turns out that on some ^&*(*&*( systems when you want to bind
    to a reserved port,  you must open the socket EUID ROOT and to the
    bind EUID root.

3.  Before you do an exec,  do a seteuid/setuid
    to the original user and/or daemon UID (your application milage may
    vary on this).

Now this sounds brutal,  and it is.  But look at is this way:
you do things as ROOT only for those things that absolutely require it,
and never pass on the EUID root capability to children.

This should be relatively painless to do.

Patrick ("I have a choice of having some of my fingernails pulled off
   with red hot pincers,  or rewriting my code?  Umm... how many
   fingernails? Do I get to choose the hand?") Powell

Dept. Electrical and Computer Engineering,
San Diego State University,
San Diego, CA 92182-1309
Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577
email: papowell () sdsu edu

# >>    There are security holes in XFree86 3.1.2, which installs its servers
# >> as suid root (/usr/X11R6/bin/XF86_*).  When reading and writing files,
# >> it does not take proper precautions to ensure that file permissions are
# >> maintained, resulting in the ability to overwrite files, and to read
# >> limited portions of other files.
# >[...]
# >>            Temporary Patch: chmod o-x /usr/X11R6/bin/XF86*
# >
# >This patch is not only very hard to realise on systems that need X, it is
# >also insufficient; if xdm is used, the hole can still be exploited with
# >the above patch installed.

# Does anyone have any comments on a real fix for this?  We (XFree86)
# will be finalising our next beta release quite soon.

# I'd like the final solution to allow for both suid-root and non-suid
# servers (Xnest and Xvfb are not suid-root).

# One thought is to use a non-user-writable directory for the lock files
# when euid==0, and use /tmp when euid!=0.  Does anyone see any problems
# with that?

# David
# --
# David Dawes                                   Email: dawes () XFree86 org
# The XFree86 Project, Inc                      Phone: +61 2 351 2639
# c/- School of Physics,                        Fax:   +61 2 660 2903
# University of Sydney 2006 AUSTRALIA
Previous By Date Next
Previous By Thread Next

Current thread: