Bugtraq mailing list archives

Re: ncurses 4.1 security bug

From: imp () VILLAGE ORG (Warner Losh)
Date: Fri, 10 Jul 1998 14:07:54 -0600


In message <9807091617.ZM3971 () nocboy ntr net> Matt Evans writes:
: a.jar() and b.jar() are going to both get called before other_stuff(),
: but you have no way of knowing in which order a.jar() b.jar() get called with
: respect to each other.  does jar() need to drop privs ?  i hardly think so.
: what happens when "class lazy_programmer{};" comes along ?  must all of its
: constructors also "drop privs" as well ?  if every function "drops privs"
: before main() ever starts, and every function does so in some random order, i
: fail to see how you can create a useful set[ug]id program.

And you have no way of knowing if they get called in such a ways as to
put libc at risk.

I see two solutions to this problem:

        1) set?id programs need to be modified.  They need to come up
           with their privs disabled and explicitly enable them for
           the work they need to do.  This is definitely a change in
           the traditional behavior of how set?id works.  It would buy
           a few things at the cost of a few other things.  I'm
           surprised that I've need seen references to this in the
           literature.

           The up side is that chmod 4777 /bin/sh no longer gives you
           a setuid shell.  Code would have to be more explicit in its
           use of privs.  This is likely a good thing.

           The down side is that chmod 4777 /bin/sh no longer gives
           you a root sheel.  ALL setuid programs must be changed to
           run on a system like this, or they will fail to operate.

           This would fix the class of problems that are characterized
           by code running with too many privs to access shared
           resources.  This seems like an interesting enough set of
           problems to go after.

           I suspect that you don't want to do this in crt0.o because
           a roughe program could easily bypass that check.  Kernel
           support seems a must.

           Doesn't do squat about the problem of buffer overflows...

        2) have an option to ld that refuses to allow any global ctors
           to be called.  This way you could have some safety in the
           writing set[gu]id programs that are written in languages
           that allow this, or call library routines that allow this.

Comments?

Warner

Current thread:

Re: Forwared to me, (continued)
- - - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Raymond Medeiros (Jul 13)
    - Re: Forwared to me Toomas Soome (Jul 13)
    - Re: Forwared to me Michael H. Warfield (Jul 13)
    - Re: Forwared to me Jason Downs (Jul 13)
    - Re: Forwared to me Illuminatus Primus (Jul 13)
    - Netware 4.x Attack Tool Announcement Simple Nomad (Jul 13)
- Re: ncurses 4.1 security bug Casper Dik (Jul 09)
  - Re: ncurses 4.1 security bug Pavel Kankovsky (Jul 09)
- Re: ncurses 4.1 security bug Matt Evans (Jul 09)
  - Re: ncurses 4.1 security bug Warner Losh (Jul 10)
    - inetd can leak file descriptors +FIX Jeff Forys (Jul 14)
    - Re: ncurses 4.1 security bug Alexander Kjeldaas (Jul 15)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
  - Re: ncurses 4.1 security bug Geoffrey KEATING (Jul 14)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 11)
  - Re: ncurses 4.1 security bug David Schwartz (Jul 11)
- Re: ncurses 4.1 security bug Ben Laurie (Jul 12)