unauthorized write access to /etc directory using chfn/chsh commands in FreeBSD 

Contributing factors:

In FreeBSD 5.0, it is possible to fill up the whole partition by using chfn/chsh 
commands. Normally, users have quotas set up on directories that are allowed to be 
written for them, e.g. home directory, /tmp, /var/tmp, etc.

Let's say, a user has quotas set up this way:

% quota -u rado
Disk quotas for user rado (uid 1001):
     Filesystem   usage   quota   limit   grace   files   quota   limit   grace
          /home   66760  500000  550000            3481       0       0
           /tmp  135193  260000  280000            5417       0       0

There's normally no need to set up quotas for other partitions (such as /, /usr, ...) 
because ordinary users have no permissions to write/change the files in that 
directories, e.g. in / or /etc.


Our experience with the chsh/chfn commands shows that when a user changes his/her 
finger information/shell, these commands invoke vi editor with a temporary file stored 
in /tmp. Imagine that a user's quota exceeded his/her limit for /tmp. Our ordinary 
user did this by filling up /tmp partition with many large files. chfn/chsh commands 
then stored their temporary files in /etc directory with given user's permissions, 

% id happy
uid=2006(happy) gid=58(st1999) groups=58(st1999)

% quota -u happy
 /tmp   21995*  20000   22000   7days       6       0       0
(We can see that the disk quota exceeded in /tmp for user happy)

% ls -ld /etc
drwxr-xr-x  20 root  wheel  22016 Aug  1 19:22 /etc

% ls -l /etc | grep happy
-rw-------   1 happy  st1999    157278362 Aug  1 19:19 pw.BEMwxq
-rw-------   1 happy  st1999          154 Aug  1 19:22 pw.KxGCF3
-rw-------   1 happy  st1999    157278362 Aug  1 19:19 pw.iW7Pmt
-rw-------   1 happy  st1999    157278362 Aug  1 19:20 pw.rhJq0s
-rw-------   1 happy  st1999    157278374 Aug  1 19:16 pw.tpPLK4

Now it is possible for such a user to fill up the root partition without having a 
permission set on /, e.g. with

% cat /dev/zero >> /etc/pw.KxGCF3


Our workaround is to either set up a quotas for a root partition or disable chsh/chfn 

Important Notices:

1. chpass, ypchpass, ypchfn, and ypchsh commands seem to be also affected by the 
symptoms described above because they are just hard links... :)
2. When experimenting with a chpass command, it caused a segmentation fault when used 
with -a argument because of a NULL pointer comparation in chpass.c, line 169: 

(no getpw* (3) library call invoked!!!)
if ((pw->pw_fields & _PWF_SOURCE) == _PWF_NIS)

% id happy
uid=2006(happy) gid=58(st1999) groups=58(st1999)

% chpass -a qqqqq
Segmentation fault

chpass doesn't seem to be locally exploitable. Some changes to a source code are 
needed for normal operation.




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to