Bugtraq mailing list archives
Re: BoS: Re: XFree86 3.1.2 Security Problems
From: papowell () sdsu edu (Patrick Powell)
Date: Tue, 30 Jan 1996 06:43:42 -0800
Folks, I went through exactly the same thing when I developed the LPRng print spooler package. The solution that I used for the problem was as follows: 1. In the startup code, use seteuid()/setreud() to set EUID to something banal such as daemon, and RUID to root. (you might want to save the original RUID for permissions checking). 2. Do all operations EXCEPT socket() and bind() calls as EUID daemon. It turns out that on some ^&*(*&*( systems when you want to bind to a reserved port, you must open the socket EUID ROOT and to the bind EUID root. 3. Before you do an exec, do a seteuid/setuid to the original user and/or daemon UID (your application milage may vary on this). Now this sounds brutal, and it is. But look at is this way: you do things as ROOT only for those things that absolutely require it, and never pass on the EUID root capability to children. This should be relatively painless to do. Patrick ("I have a choice of having some of my fingernails pulled off with red hot pincers, or rewriting my code? Umm... how many fingernails? Do I get to choose the hand?") Powell Dept. Electrical and Computer Engineering, San Diego State University, San Diego, CA 92182-1309 Office (619) 594-7796; Lab (619) 594-7578 FAX (619) 594-7577 email: papowell () sdsu edu # >> There are security holes in XFree86 3.1.2, which installs its servers # >> as suid root (/usr/X11R6/bin/XF86_*). When reading and writing files, # >> it does not take proper precautions to ensure that file permissions are # >> maintained, resulting in the ability to overwrite files, and to read # >> limited portions of other files. # >[...] # >> Temporary Patch: chmod o-x /usr/X11R6/bin/XF86* # > # >This patch is not only very hard to realise on systems that need X, it is # >also insufficient; if xdm is used, the hole can still be exploited with # >the above patch installed. # Does anyone have any comments on a real fix for this? We (XFree86) # will be finalising our next beta release quite soon. # I'd like the final solution to allow for both suid-root and non-suid # servers (Xnest and Xvfb are not suid-root). # One thought is to use a non-user-writable directory for the lock files # when euid==0, and use /tmp when euid!=0. Does anyone see any problems # with that? # David # -- # David Dawes Email: dawes () XFree86 org # The XFree86 Project, Inc Phone: +61 2 351 2639 # c/- School of Physics, Fax: +61 2 660 2903 # University of Sydney 2006 AUSTRALIA
Current thread:
- Re: BoS: Re: XFree86 3.1.2 Security Problems Patrick Powell (Jan 30)