Bugtraq mailing list archives
Re: Solaris 2.5.1 party piece
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Thu, 3 Jul 1997 21:00:37 +0200
It seems that Sun has finally fixed this. Patch 103093-13 (Solaris 2.5 SPARC) claims to fix (among others) the following problem: 1238582 privileged ifconfig ioctls by normal user succeed on sockets created as root
[[ What I'm saying here is in no way the official Sun view on things; it's an explanation from my point of view inside Sun why this fix took so long in coming; I was involved in part of the discussion as I filed the bug. I am, however, about an ocean and a continent removed from the place were "things happen" and as such I can't even testify to what I write here being even close to the truth. Now that I'm writing this I'm thinking long and hard of whether I should even mail this out or not; if you read this, apparently I have decided for it.]] When Alan Cox posted his message, a patch for 5.3 was already out. The bug was already in the kernel jumbo patch queue for all other releases under active maintenance (2.3 and up). However, it takes a minimum of 6 to 8 weeks for a kernel patch to pass all tests. If new bugs are introduced as a result, those are fixed in the next release which would cause a further one month delay as bugs are combined into new "kernel updates" about once a month. This process was introduced for a reason; those of you who remember running Solaris when 2.3 was the latest version probably know all too well why. [[ Checking with "grep ^Date" in the 2.4 patch archive it seems that this measure was not introduced until mid '95 ]] Also, around that time it must have been decided that kernel patches will only include the kernel unless it is absolutely necessary that the kernel patch and another patch are applied at the same time. This is evidenced by the fact that the 2.5* kernel patches are much leaner than the 2.4 and before variants. This particular bugs was specifically delayed because it first needed to be discussed where exactly to fix the bug. Down stream where the ioctl is performed, all that is available is the "cred*" passed down from above. This "cred*" traditionally is the "cred*" that lives in the vnode; the cred* of the process that opens/creates the stream. That pointer doesn't change when the fd gets inherited, such as with rshd or rexecd. Note that this is actually normal for files; a file opened as root but then handed to a normal user can be manipulated by that normal user as is he is root. E.g., his quota or read/write permissions to the file don't apply. In the discussion it soon became clear that there are several options to fix this; one option being inventing an "fcntl" to change the credentials on a STREAM/file. That would have required changing many daemons. A second, more esthetically pleasing, option was changing the credentials passed down to those of the calling process rather than those of the opening process as this would require no code changes outside the kernel. Implementing the second option was decided on but that required a change to the semantics of *all* STREAMs ioctl() calls. (pass ioctl() time credentials rather than open() time credentials). Since this was considered to be a risky fix, it was first deployed in Solaris 2.6 alpha/beta. Since the original beta program was more limited than initially intended the patching of the bug got further delayed as further exposure in the Early Access program was deemed necessary. The bug got put in the kernel patch queue sometime after the start of EA Only know the patches are coming of the other end. Such is the history of bug #1238582. Alan Cox' message to bugtraq has not expedited the patch process in any way. Casper
Current thread:
- Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
- Inside GetAdmin Mark Joseph Edwards (Jul 08)
(Thread continues...)