Bugtraq mailing list archives
Re: Security Problems in XMCD 2.1
From: jimd () starshine org (Jim Dennis)
Date: Tue, 26 Nov 1996 20:09:04 -0800
On a side tangent, the standard rule of thumb is: "If a program doesn't really need SUID/GID, don't give it SUID/GID." ... Doesn't fix the buffer overrun, but it doesn't give the user root either... Theo Van Dinter www: http://www.kluge.net/~felicity/
Add to that the notion that -- wherever possible -- any SUID program should be o-rxw (i.e. only owner and group executable). By ensuring that only "trusted" users are allowed to execute your programs you minimize the number of people who can use the exploit (forcing most attackers to compromise one of your "wheel" or "staff" or "console" accounts before they can use their favorite exploits). Specifically all of these modplayer, CD player, SVGALib, audio-recorder, CU-See-Me clients and similar SUID programs can be configured to be owned by a "console" group. You can then add only those users with console access to that group. Things like chsh and chfn and passwd should be owned by a group like 'shell' -- so that only shell account holders can execute them (meaning that 'nobody' and 'daemon' and 'www' and 'listman' and 'postman' (P'gres) -- can't execute these I'm considering taking things like chsh and chfn and setting them to execute through a sudo/expect wrapper. This wouldn't add much to the security on the shell accounts directly -- but it would force logging of each execution of these commands -- and the wrapper script could check arguments or other factors. It might also prevent LD_PATH and IFS types of attacks (since sudo seems to check it's environment -- and keeping just one statically linked sudo binary around beats dealing with some number of other binaries that might have to be statically linked *and* might have a variety of SUID bugs). I was looking at SFW (simple file wrapper) off of the COAST archive at Purdue recently. Unfortunately it isn't very portable -- Solaris and AIX only so far. I was able to get it to compile under Linux -- but it didn't work properly (segv on some NIS/YP calls or something like that). However, what attracted me to this package was the optional MD5 check on your binary after the ACL is verified and before the su/execution. The idea of this package is that it allows the admin to configure any number of programs to be run by any number of different users or groups 'as' any user and subject of various controls (like time-of-day, day-of-week limitations). It would be need to hack sudo to allow for an MD5 check before execution as well. Maybe I'll work on that before next year. Jim Dennis, Starshine Technical Services
Current thread:
- AIX lquerypv, (continued)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
- Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
- Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)
- BOOTP/DHCP security itudps (Nov 26)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
- Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
- lquerypv fix Troy Bollinger (Nov 25)