Bugtraq mailing list archives
Re: Security Problems in XMCD 2.1
From: jimd () starshine org (Jim Dennis)
Date: Tue, 26 Nov 1996 20:09:04 -0800
On a side tangent, the standard rule of thumb is: "If a program doesn't really need SUID/GID, don't give it SUID/GID." ... Doesn't fix the buffer overrun, but it doesn't give the user root either... Theo Van Dinter www: http://www.kluge.net/~felicity/
Add to that the notion that -- wherever possible --
any SUID program should be o-rxw (i.e. only
owner and group executable). By ensuring that
only "trusted" users are allowed to execute your
programs you minimize the number of people who can
use the exploit (forcing most attackers to compromise
one of your "wheel" or "staff" or "console" accounts
before they can use their favorite exploits).
Specifically all of these modplayer, CD player,
SVGALib, audio-recorder, CU-See-Me clients and
similar SUID programs can be configured to be
owned by a "console" group. You can then add
only those users with console access to that
group.
Things like chsh and chfn and passwd should be
owned by a group like 'shell' -- so that only
shell account holders can execute them (meaning
that 'nobody' and 'daemon' and 'www' and 'listman'
and 'postman' (P'gres) -- can't execute these
I'm considering taking things like chsh and chfn
and setting them to execute through a sudo/expect
wrapper. This wouldn't add much to the security
on the shell accounts directly -- but it would force
logging of each execution of these commands --
and the wrapper script could check arguments or
other factors. It might also prevent LD_PATH
and IFS types of attacks (since sudo seems to
check it's environment -- and keeping just one
statically linked sudo binary around beats
dealing with some number of other binaries that
might have to be statically linked *and* might
have a variety of SUID bugs).
I was looking at SFW (simple file wrapper) off of
the COAST archive at Purdue recently. Unfortunately
it isn't very portable -- Solaris and AIX only so
far. I was able to get it to compile under Linux --
but it didn't work properly (segv on some NIS/YP
calls or something like that).
However, what attracted me to this package
was the optional MD5 check on your binary after
the ACL is verified and before the su/execution.
The idea of this package is that it allows the admin
to configure any number of programs to be run by any
number of different users or groups 'as' any user
and subject of various controls (like time-of-day,
day-of-week limitations).
It would be need to hack sudo to allow for an
MD5 check before execution as well.
Maybe I'll work on that before next year.
Jim Dennis,
Starshine Technical Services
Current thread:
- AIX lquerypv, (continued)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
- Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
- Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)
- BOOTP/DHCP security itudps (Nov 26)
- Re: BOOTP/DHCP security Alan Cox (Nov 27)
- Re: A security issue of a different kind. Jon Peatfield (Nov 27)
- Re: A security issue of a different kind. Piete Brooks (Nov 27)
- Major Security Vulnerabilities in Remote CD Databases David J. Meltzer (Nov 26)
- Re: Major Security Vulnerabilities in Remote CD Databases itudps (Nov 26)
- lquerypv fix Troy Bollinger (Nov 25)