On August 16, 2014 12:09:32 AM CEST, Paul de Weerd <we...@weirdnet.nl> wrote: >On Fri, Aug 15, 2014 at 11:51:53PM +0200, Paul de Weerd wrote: >| At any rate, this changes that to allow world readable files (still >| not taking world writable files). We can't check S_IWOTH over tftp, >| we should probably assume 0777 for files transferred that way. But, >| if you're trusting the kernel you're getting over tftp, then why the >| hell are you not trusting random.seed? That attacker that could >maybe >| influence your randomness would NEVER touch your kernel to ensure it >| only produces well known (to them) randomness. That would be way too >| easy... > >Actually, no, scratch that. You don't want the local seed to be world >readable, since that will expose it to everybody on the local system >for non-TFTP loaded kernels and seedfiles.
Well, it is merely added to the mix, and only once, so I don't think it adds any substantial attack vector. > >The alternative then is to assume 0440 for files transferred from >tftp. The permissions on files transferred from tftp are irrelevant I think that just feels strange. >following the above argument (you trust that kernel you just >downloaded, might aswell trust random.seed). To make random.seed pass >the loadrandom() tests, just set st_mode to 0440: > >Index: tftp.c >=================================================================== >RCS file: /cvs/src/sys/lib/libsa/tftp.c,v >retrieving revision 1.6 >diff -u -p -u -r1.6 tftp.c >--- tftp.c 13 Jul 2014 15:31:20 -0000 1.6 >+++ tftp.c 15 Aug 2014 22:03:27 -0000 >@@ -386,7 +386,7 @@ tftp_stat(struct open_file *f, struct st > struct tftp_handle *tftpfile; > tftpfile = (struct tftp_handle *) f->f_fsdata; > >- sb->st_mode = 0444; >+ sb->st_mode = 0440; > sb->st_nlink = 1; > sb->st_uid = 0; > sb->st_gid = 0; I'd be fine with someone ok'ing that, but it won't be me. :) At the very least, and maybe either way, we should print a warning if we decide not to use the file because of loose permissions. /Alexander
