On Tue, Aug 10, 2010 at 05:36:12PM +0200, Dag-Erling Sm??rgrav wrote: > > 41513 ftpd CALL seteuid(0xbb8) > > 41513 ftpd RET seteuid 0 > > 41513 ftpd NAMI "/home/venglin/.login_conf" > > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > > login_getclassbyname() temporarily drops privs while reading the user's > .login_conf, because the user's ~ may be on (for instance) an NFS mount > with -maproot=nobody. > > Janne's mistake is to assume that reading == processing. > > However, he is correct in that in the event of an exploitable code > injection vulnerability in the code that *reads* the file, the injected > code can easily reacquire root privs. > > There is a different issue documented in PR bin/141840 which results in > the user's resource limits being processed *with* root privs in certain > circumstances. It so happens that in FreeBSD, those circumstances only > arise in OpenSSH. This does not mean that the bug is in OpenSSH; it's > in setusercontext(3), which makes unwarranted assumptions about how it > is being called. > > Unfortunately, that PR arrived at a time when so@ was busy with far more > important issues, and it fell through the cracks. > > The good news is that the the only settings that can be overridden in > this manner are resource limits and the CPU mask.
There is another issue in stock ftpd and usercontext, see PR http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/143570 which contains trivial patch. Eugene Grosbein _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
