Bug#556522: hurd - using the login shell is insecure
Heya, Justus Winter, le Sun 16 Jan 2011 05:49:55 +0100, a écrit : Justus Winter, le Wed 12 Jan 2011 00:39:35 +0100, a écrit : diff -r a95557dc73eb daemons/getty.c --- a/daemons/getty.c Tue Jan 11 00:00:32 2011 + +++ b/daemons/getty.c Tue Jan 11 23:38:12 2011 + @@ -129,10 +129,10 @@ if (tt strcmp (tt-ty_type, dialup) == 0) /* Dialup lines time out (which is login's default). */ -execl (_PATH_LOGIN, login, -e, arg, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, login, NULL); else /* Hardwired lines don't. */ -execl (_PATH_LOGIN, login, -e, arg, -aNOAUTH_TIMEOUT, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, -aNOAUTH_TIMEOUT, login, NULL); syslog (LOG_ERR, %s: %m, _PATH_LOGIN); Mmm, why these? You've got a point here. After reading the login programs source I realized that 'login' is the default unprivileged user to use and that spawning this session requires no password (btw, is there documentation for hurds userspace tools that I am just unable to find?). See hurd.info: 14 Authentication * FIXME: finish 14.3 login, loginpr === I'd argue to keep the -aMOTD though to prevent the motd from being shown before the user logs in Actually that's due to another bug. Samuel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556522: hurd - using the login shell is insecure
Justus Winter, le Wed 12 Jan 2011 00:39:35 +0100, a écrit : diff -r a95557dc73eb daemons/getty.c --- a/daemons/getty.c Tue Jan 11 00:00:32 2011 + +++ b/daemons/getty.c Tue Jan 11 23:38:12 2011 + @@ -129,10 +129,10 @@ if (tt strcmp (tt-ty_type, dialup) == 0) /* Dialup lines time out (which is login's default). */ -execl (_PATH_LOGIN, login, -e, arg, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, login, NULL); else /* Hardwired lines don't. */ -execl (_PATH_LOGIN, login, -e, arg, -aNOAUTH_TIMEOUT, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, -aNOAUTH_TIMEOUT, login, NULL); syslog (LOG_ERR, %s: %m, _PATH_LOGIN); Mmm, why these? Samuel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556522: hurd - using the login shell is insecure
Hey Samuel :) Justus Winter, le Wed 12 Jan 2011 00:39:35 +0100, a écrit : diff -r a95557dc73eb daemons/getty.c --- a/daemons/getty.c Tue Jan 11 00:00:32 2011 + +++ b/daemons/getty.c Tue Jan 11 23:38:12 2011 + @@ -129,10 +129,10 @@ if (tt strcmp (tt-ty_type, dialup) == 0) /* Dialup lines time out (which is login's default). */ -execl (_PATH_LOGIN, login, -e, arg, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, login, NULL); else /* Hardwired lines don't. */ -execl (_PATH_LOGIN, login, -e, arg, -aNOAUTH_TIMEOUT, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, -aNOAUTH_TIMEOUT, login, NULL); syslog (LOG_ERR, %s: %m, _PATH_LOGIN); Mmm, why these? You've got a point here. After reading the login programs source I realized that 'login' is the default unprivileged user to use and that spawning this session requires no password (btw, is there documentation for hurds userspace tools that I am just unable to find?). I'd argue to keep the -aMOTD though to prevent the motd from being shown before the user logs in (weird thing is that the motd isn't shown after the user logs in if loginpr is started by the getty but it is shown if I start it manually. I grepped the env for motd but found nothing that would indicate the reason for the different behaviour). An revised patch is attached. Feel free to just drop the getty related part if you should disagree on the MOTD thing. Cheers, Justus diff -r a95557dc73eb daemons/getty.c --- a/daemons/getty.c Tue Jan 11 00:00:32 2011 + +++ b/daemons/getty.c Sun Jan 16 03:29:51 2011 + @@ -129,10 +129,10 @@ if (tt strcmp (tt-ty_type, dialup) == 0) /* Dialup lines time out (which is login's default). */ -execl (_PATH_LOGIN, login, -e, arg, NULL); +execl (_PATH_LOGIN, login, -aMOTD, -e, arg, NULL); else /* Hardwired lines don't. */ -execl (_PATH_LOGIN, login, -e, arg, -aNOAUTH_TIMEOUT, NULL); +execl (_PATH_LOGIN, login, -aMOTD, -e, arg, -aNOAUTH_TIMEOUT, NULL); syslog (LOG_ERR, %s: %m, _PATH_LOGIN); diff -r a95557dc73eb debian/postinst --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/debian/postinst Sun Jan 16 03:29:51 2011 + @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +if [ $1 = configure ]; then + add-shell /bin/loginpr || true + if ! getent passwd login /dev/null; then +adduser --disabled-password --quiet --system \ + --home /etc/login --no-create-home --shell /bin/loginpr \ + --gecos login user --group login + fi +fi + +#DEBHELPER# diff -r a95557dc73eb debian/postrm --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/debian/postrm Sun Jan 16 03:29:51 2011 + @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +if [ $1 = purge ]; then + remove-shell /bin/loginpr + if ! deluser --quiet --system login /dev/null; then +echo +Removing the user 'login' failed, most likely because the user is still +logged in. To remove the user and group terminate the session in question +and execute + +deluser --quiet --system login +delgroup --quiet --system login + + else +delgroup --quiet --system login /dev/null || true + fi +fi + +#DEBHELPER# signature.asc Description: PGP signature
Bug#556522: hurd - using the login shell is insecure
Hey Samuel :) Justus Winter, le Mon 10 Jan 2011 00:36:07 +0100, a écrit : I incorporated some code from util-linuxs getty to make hurds getty ask for a login name and pass that name to login. This way the login shell is no longer needed. I also turned on logins --paranoid flag to prevent it leaking whether a user exists or not. Err, did you see my previous reply? It's all already implemented: “Note: to do so we simply need to create a login account with default shell set to /bin/loginpr and home set to /etc/login.” Hm, I read your message, but it obviously didn't came through , Please find attached a revised patch that adds such an user in the postinst script and changes the getty accordingly. Unfortunately it is not as easy to remove the user once the getty spawned a session using that user, so I added a message to inform the user how to manually remove the user and group once the session has been terminated. Not sure if that is the way to go though... Cheers, Justus diff -r a95557dc73eb daemons/getty.c --- a/daemons/getty.c Tue Jan 11 00:00:32 2011 + +++ b/daemons/getty.c Tue Jan 11 23:38:12 2011 + @@ -129,10 +129,10 @@ if (tt strcmp (tt-ty_type, dialup) == 0) /* Dialup lines time out (which is login's default). */ -execl (_PATH_LOGIN, login, -e, arg, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, login, NULL); else /* Hardwired lines don't. */ -execl (_PATH_LOGIN, login, -e, arg, -aNOAUTH_TIMEOUT, NULL); +execl (_PATH_LOGIN, login, --no-passwd, -aMOTD, -e, arg, -aNOAUTH_TIMEOUT, login, NULL); syslog (LOG_ERR, %s: %m, _PATH_LOGIN); diff -r a95557dc73eb debian/postinst --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/debian/postinst Tue Jan 11 23:38:12 2011 + @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +if [ $1 = configure ]; then + add-shell /bin/loginpr || true + if ! getent passwd login /dev/null; then +adduser --disabled-password --quiet --system \ + --home /etc/login --no-create-home --shell /bin/loginpr \ + --gecos login user --group login + fi +fi + +#DEBHELPER# diff -r a95557dc73eb debian/postrm --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/debian/postrm Tue Jan 11 23:38:12 2011 + @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +if [ $1 = purge ]; then + remove-shell /bin/loginpr + if ! deluser --quiet --system login /dev/null; then +echo +Removing the user 'login' failed, most likely because the user is still +logged in. To remove the user and group terminate the session in question +and execute + +deluser --quiet --system login +delgroup --quiet --system login + + else +delgroup --quiet --system login /dev/null || true + fi +fi + +#DEBHELPER# signature.asc Description: PGP signature
Bug#556522: hurd - using the login shell is insecure
Justus Winter, le Wed 12 Jan 2011 00:39:35 +0100, a écrit : diff -r a95557dc73eb debian/postrm --- /dev/null Thu Jan 01 00:00:00 1970 + +++ b/debian/postrm Tue Jan 11 23:38:12 2011 + @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +if [ $1 = purge ]; then + remove-shell /bin/loginpr + if ! deluser --quiet --system login /dev/null; then +echo +Removing the user 'login' failed, most likely because the user is still +logged in. To remove the user and group terminate the session in question +and execute Mmm, we're talking about the hurd package, right? I doubt we should take more care about purging it than what you propose, since it's a required package :) Samuel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556522: hurd - using the login shell is insecure
tags 556522 patch thanks Hi :) I incorporated some code from util-linuxs getty to make hurds getty ask for a login name and pass that name to login. This way the login shell is no longer needed. I also turned on logins --paranoid flag to prevent it leaking whether a user exists or not. Cheers, Justus --- hurd-20100926/daemons/getty.c 2010-09-26 22:10:52.0 + +++ hurd-20100926-mine/daemons/getty.c 2011-01-09 23:35:27.0 + @@ -4,6 +4,9 @@ Written by Michael I. Bushnell, p/BSG. + This file contains parts of the get_logname function from + util-linux/getty.c. + This file is part of the GNU Hurd. The GNU Hurd is free software; you can redistribute it and/or @@ -34,11 +37,21 @@ #include utmp.h #include sys/ioctl.h #include termios.h +#include ctype.h /* XXX */ extern char *localhost (); #define _PATH_LOGIN /bin/login +#define LOGIN login: /* login prompt */ + +/* Some shorthands for control characters. */ + +#define CTL(x) (x ^ 0100) /* Assumes ASCII dialect */ +#define CR CTL('M')/* carriage return */ +#define NL CTL('J')/* line feed */ +#define BS CTL('H')/* back space */ +#define DEL CTL('?')/* delete */ /* Parse the terminal speed. */ static void @@ -77,6 +90,89 @@ write (fd, s, cc); } +char * +get_login_name(int fd) +{ + size_t max_pw_size; + char *result; + char *ptr; + char c; + char done; + char *prompt; + int prompt_size; + char *hostname; + + max_pw_size = sysconf (_SC_GETPW_R_SIZE_MAX); + + if (!(result = malloc (max_pw_size + 1))) +{ + syslog (LOG_ERR, Failed to allocate memory for login name); + exit (EXIT_FAILURE); +} + + hostname = localhost (); + prompt_size = asprintf (prompt, %s%s, hostname, LOGIN); + free (hostname); + write (fd, prompt, prompt_size); + free (prompt); + + /* flush pending input */ + sleep (1); + tcflush (fd, TCIFLUSH); + + for (ptr = result, done = 0; !done; /* void */) +{ + if (read (fd, c, 1) 1) +{ + if (errno == EINTR || errno == EIO) +exit (EXIT_FAILURE); +} + + switch (c) +{ +case CR: +case NL: + *ptr = 0; /* terminate logname */ + done = 1; + break; +case BS: +case DEL: +case '#': + if (ptr result) +{ + write (fd, \b, 1); + ptr--; +} + break; +case CTL('U'): +case '@': + while (ptr result) +{ + write (fd, \b, 1); + ptr--; +} + break; +case CTL('D'): + exit (EXIT_SUCCESS); +default: + if (!isascii (c) || !isprint (c)) +{ + /* ignore garbage characters */ +} + else if (ptr - result max_pw_size) +{ + /* input overrun, dropping character */ +} + else +{ + *ptr++ = c; /* and store it */ +} + break; +} +} + return result; +} + int main (int argc, char **argv) { @@ -84,6 +180,7 @@ int tty; struct ttyent *tt; char *arg; + char *login_name; openlog (getty, LOG_ODELAY|LOG_CONS|LOG_PID, LOG_AUTH); @@ -121,6 +218,7 @@ set_speed (tty, linespec); print_banner (tty, ttyname); + login_name = get_login_name(tty); if (login_tty (tty) == -1) syslog (LOG_ERR, cannot set controlling terminal to %s: %m, ttyname); @@ -129,10 +227,12 @@ if (tt strcmp (tt-ty_type, dialup) == 0) /* Dialup lines time out (which is login's default). */ -execl (_PATH_LOGIN, login, -e, arg, NULL); +execl (_PATH_LOGIN, login, --paranoid, -e, arg, + login_name, NULL); else /* Hardwired lines don't. */ -execl (_PATH_LOGIN, login, -e, arg, -aNOAUTH_TIMEOUT, NULL); +execl (_PATH_LOGIN, login, --paranoid, -e, arg, + -aNOAUTH_TIMEOUT, login_name, NULL); syslog (LOG_ERR, %s: %m, _PATH_LOGIN); signature.asc Description: PGP signature
Bug#556522: hurd - using the login shell is insecure
Justus Winter, le Mon 10 Jan 2011 00:36:07 +0100, a écrit : I incorporated some code from util-linuxs getty to make hurds getty ask for a login name and pass that name to login. This way the login shell is no longer needed. I also turned on logins --paranoid flag to prevent it leaking whether a user exists or not. Err, did you see my previous reply? It's all already implemented: “Note: to do so we simply need to create a login account with default shell set to /bin/loginpr and home set to /etc/login.” Samuel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556522: hurd - using the login shell is insecure
Hi, On Mon, Nov 16, 2009 at 03:27:45PM +0100, Bastian Blank wrote: Hurd uses a login shell by default on the ttys. This is a security problem as it allows access with other permissions to all ressources. This is not exactly true: actually the access of the login shell is controlled by the unknown permissions -- a special fourth set of file permission bits. It's probably true though that this is identical to the other permissions on a default Debian install... -antrik- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556522: hurd - using the login shell is insecure
Bastian Blank, le Mon 16 Nov 2009 15:27:45 +0100, a écrit : Hurd uses a login shell by default on the ttys. This is a security problem as it allows access with other permissions to all ressources. Note: to do so we simply need to create a login account with default shell set to /bin/loginpr and home set to /etc/login. Samuel -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556522: hurd - using the login shell is insecure
Package: hurd Version: 20090404-2 Severity: important Tags: security Hurd uses a login shell by default on the ttys. This is a security problem as it allows access with other permissions to all ressources. Bastian -- You're too beautiful to ignore. Too much woman. -- Kirk to Yeoman Rand, The Enemy Within, stardate unknown -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org