bsd_flags.txt

`Subject: [[email protected]: FreeBSD-SA-99:01: BSD File Flags  
and Programming Techniques]  
To: [email protected]   
  
  
[[email protected] 1.ems Content-Type: text/plain; charset=us-ascii  
  
*** PGP Signature Status: unknown  
*** Signer: Unknown, Key ID xBE7497F1  
*** Signed: 9/3/99 11:38:10 PM  
*** Verified: 9/13/99 2:37:02 PM  
*** BEGIN PGP VERIFIED MESSAGE ***  
  
  
----- Forwarded message from [email protected] -----  
  
Delivered-To: [email protected]  
From: [email protected]  
To: [email protected]  
Cc: [email protected]  
Subject: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques  
Date: Fri, 03 Sep 1999 23:29:36 -0600  
X-Loop: FreeBSD.org  
Precedence: bulk  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
=============================================================================  
FreeBSD-SA-99:01 Security Advisory  
FreeBSD, Inc.  
  
Topic: BSD File Flags and Programming Techniques  
  
Category: core  
Module: kernel  
Announced: 1999-09-04  
Affects: FreeBSD 3.2 (and earlier)  
FreeBSD-current before the correction date.  
Corrected: FreeBSD-3.3 RELEASE  
FreeBSD-current as of 1999/08/02  
FreeBSD-3.2-stable as of 1999/08/02  
FreeBSD-2.2.8-stable as of 1999/08/04  
FreeBSD only: NO  
  
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:01/  
  
I. Background   
  
BSD 4.4 added various flags to files in the file system. These flags  
control various aspects of which operations are permitted on those  
files. Historically, root has been been able to do all of these  
operations so many programs that knew they were running as root didn't  
check to make sure that these operations succeeded.  
  
II. Problem Description  
  
A user can set flags and mode on the device which they logged into.  
Since a bug in login and other similar programs causes the normal  
chown to fail, this first user will own the terminal of any login.  
  
III. Impact  
  
Local users can execute a man-in-the-middle attack against any other  
user (including root) when the other users logs in. This give them  
the ability to snoop and alter all text that the user writes. Results  
of this include the ability to execute commands as the user, and  
stealing the user's password (and anything else the users writes over  
the connection, including passwords for other machines).  
  
IV. Workaround  
  
None.  
  
V. Solution  
  
FreeBSD-current  
  
Index: kern/vfs_syscalls.c  
===================================================================  
RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v  
retrieving revision 1.125  
retrieving revision 1.128  
diff -u -r1.125 -r1.128  
--- vfs_syscalls.c 1999/07/29 17:02:56 1.125  
+++ vfs_syscalls.c 1999/08/04 04:52:18 1.128  
@@ -1892,13 +1892,23 @@  
int error;  
struct vattr vattr;  
  
+ /*  
+ * Prevent non-root users from setting flags on devices. When  
+ * a device is reused, users can retain ownership of the device  
+ * if they are allowed to set flags and programs assume that  
+ * chown can't fail when done as root.  
+ */  
+ if ((vp->v_type == VCHR || vp->v_type == VBLK) &&   
+ ((error = suser_xxx(p->p_ucred, p, PRISON_ROOT)) != 0))  
+ return (error);  
+  
VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE);  
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);  
VATTR_NULL(&vattr);  
vattr.va_flags = flags;  
error = VOP_SETATTR(vp, &vattr, p->p_ucred, p);  
VOP_UNLOCK(vp, 0, p);  
- return error;  
+ return (error);  
}  
  
/*  
  
FreeBSD-3.2-stable  
  
Index: kern/vfs_syscalls.c  
===================================================================  
RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v  
retrieving revision 1.112.2.3  
retrieving revision 1.112.2.5  
diff -u -r1.112.2.3 -r1.112.2.5  
--- vfs_syscalls.c 1999/07/30 01:07:23 1.112.2.3  
+++ vfs_syscalls.c 1999/08/11 21:39:50 1.112.2.5  
@@ -1839,13 +1839,23 @@  
int error;  
struct vattr vattr;  
  
+ /*  
+ * Prevent non-root users from setting flags on devices. When  
+ * a device is reused, users can retain ownership of the device  
+ * if they are allowed to set flags and programs assume that  
+ * chown can't fail when done as root.  
+ */  
+ if ((vp->v_type == VCHR || vp->v_type == VBLK) &&   
+ ((error = suser(p->p_ucred, &p->p_acflag)) != 0))  
+ return (error);  
+  
VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE);  
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);  
VATTR_NULL(&vattr);  
vattr.va_flags = flags;  
error = VOP_SETATTR(vp, &vattr, p->p_ucred, p);  
VOP_UNLOCK(vp, 0, p);  
- return error;  
+ return (error);  
}  
  
/*  
  
FreeBSD 2.2.8-stable:  
  
Index: kern/vfs_syscalls.c  
===================================================================  
RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v  
retrieving revision 1.51.2.7  
retrieving revision 1.51.2.8  
diff -u -r1.51.2.7 -r1.51.2.8  
--- vfs_syscalls.c 1998/07/03 03:50:31 1.51.2.7  
+++ vfs_syscalls.c 1999/08/04 18:58:56 1.51.2.8  
@@ -1439,6 +1439,17 @@  
if (error)  
return (error);  
vp = nd.ni_vp;  
+ if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)))  
+ return (error);  
+ /*  
+ * Prevent non-root users from setting flags on devices. When  
+ * a device is reused, users can retain ownership of the device  
+ * if they are allowed to set flags and programs assume that  
+ * chown can't fail when done as root.  
+ */  
+ if ((vp->v_type == VCHR || vp->v_type == VBLK) &&  
+ ((error = suser(p->p_ucred, &p->p_acflag)) != 0))  
+ return (error);  
LEASE_CHECK(vp, p, p->p_ucred, LEASE_WRITE);  
VOP_LOCK(vp);  
VATTR_NULL(&vattr);  
  
VI. Credits  
  
Theo de Raadt came up with the firewalling solution presented here.  
  
[email protected] brought this problem to light.  
  
=============================================================================  
FreeBSD, Inc.  
  
Web Site: http://www.freebsd.org/  
Confidential contacts: [email protected]  
Security notifications: [email protected]  
Security public discussion: [email protected]  
PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc  
  
Notice: Any patches in this document may not apply cleanly due to  
modifications caused by digital signature or mailer software.  
Please reference the URL listed at the top of this document  
for original copies of all patches if necessary.  
=============================================================================  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3ia  
Charset: noconv  
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface  
  
iQCVAwUBN9CAHFUuHi5z0oilAQEJPwP/XhzCOs4ipJkZIPWlSDvsvPLcJWXzb3HK  
Fs8gLV3CPnW7YdSpveosI3hBY9WNCVAFx9WkM5+n+FBSRfbRzFJkkblN85ZCz7pI  
+RXg6Sv5vuzy6SRxMRK2vu1FXuwZevVQaMq4ANUXpdo5MyUE8rMGb9PLWdxOxdf5  
s6zlG0oFyvI=  
=CqoX  
-----END PGP SIGNATURE-----  
  
  
This is the moderated mailing list freebsd-announce.  
The list contains announcements of new FreeBSD capabilities,  
important events and project milestones.  
See also the FreeBSD Web pages at http://www.freebsd.org  
  
  
To Unsubscribe: send mail to [email protected]  
with "unsubscribe freebsd-announce" in the body of the message  
  
----- End forwarded message -----  
  
--   
Patrick Oonk - PO1-6BONE - [email protected] - www.pine.nl/~patrick  
Pine Internet B.V. PGP key ID BE7497F1   
Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/  
-- Pine Security Digest - http://security.pine.nl/ (Dutch) ----  
Excuse of the day: Your Flux Capacitor has gone bad.  
  
  
*** END PGP VERIFIED MESSAGE ***  
  
`