9front - general discussion about 9front
 help / color / mirror / Atom feed
* [9front] patch your shit
@ 2024-08-24 19:08 hiro
  2024-08-24 20:15 ` Willow Liquorice
                   ` (2 more replies)
  0 siblings, 3 replies; 12+ messages in thread
From: hiro @ 2024-08-24 19:08 UTC (permalink / raw)
  To: 9front

some people did something that increases security apparently. so patch
your shit.

ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
author: Jacob Moody <moody@posixcafe.org>
date: Sat Aug 24 12:58:31 EDT 2024

lib9p: verify uname against returned AuthInfo from factotum (thanks humm)

Before this it was possible to Tauth and Tattach with one
user name and then authenticate with factotum using a different
user name. To fix this we now ensure that the uname matches the returned
cuid from AuthInfo.

This security bug is still pending a cute mascot and theme song.


mein name ist hase. bye.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 19:08 [9front] patch your shit hiro
@ 2024-08-24 20:15 ` Willow Liquorice
  2024-08-24 21:21   ` Jacob Moody
  2024-08-24 22:18 ` Jacob Moody
  2024-08-25  6:56 ` Kristo
  2 siblings, 1 reply; 12+ messages in thread
From: Willow Liquorice @ 2024-08-24 20:15 UTC (permalink / raw)
  To: 9front

e https://9front.org/
/Only three remote holes in the default install, in a heck of a long time!/
s/three/four
w https://9front.org/

	- Willow

On 24/08/2024 20:08, hiro wrote:
> some people did something that increases security apparently. so patch
> your shit.
> 
> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
> author: Jacob Moody <moody@posixcafe.org>
> date: Sat Aug 24 12:58:31 EDT 2024
> 
> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
> 
> Before this it was possible to Tauth and Tattach with one
> user name and then authenticate with factotum using a different
> user name. To fix this we now ensure that the uname matches the returned
> cuid from AuthInfo.
> 
> This security bug is still pending a cute mascot and theme song.
> 
> 
> mein name ist hase. bye.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 20:15 ` Willow Liquorice
@ 2024-08-24 21:21   ` Jacob Moody
  2024-08-24 21:25     ` adventures in9
  2024-08-24 21:37     ` sl
  0 siblings, 2 replies; 12+ messages in thread
From: Jacob Moody @ 2024-08-24 21:21 UTC (permalink / raw)
  To: 9front

hjfs is not the default install, our number of holes is fine.

On 8/24/24 15:15, Willow Liquorice wrote:
> e https://9front.org/
> /Only three remote holes in the default install, in a heck of a long time!/
> s/three/four
> w https://9front.org/
> 
> 	- Willow
> 
> On 24/08/2024 20:08, hiro wrote:
>> some people did something that increases security apparently. so patch
>> your shit.
>>
>> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
>> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
>> author: Jacob Moody <moody@posixcafe.org>
>> date: Sat Aug 24 12:58:31 EDT 2024
>>
>> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
>>
>> Before this it was possible to Tauth and Tattach with one
>> user name and then authenticate with factotum using a different
>> user name. To fix this we now ensure that the uname matches the returned
>> cuid from AuthInfo.
>>
>> This security bug is still pending a cute mascot and theme song.
>>
>>
>> mein name ist hase. bye.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 21:21   ` Jacob Moody
@ 2024-08-24 21:25     ` adventures in9
  2024-08-24 21:37     ` sl
  1 sibling, 0 replies; 12+ messages in thread
From: adventures in9 @ 2024-08-24 21:25 UTC (permalink / raw)
  To: 9front

hjfs does have the "experimental" warning XD

On Sat, Aug 24, 2024 at 2:23 PM Jacob Moody <moody@posixcafe.org> wrote:
>
> hjfs is not the default install, our number of holes is fine.
>
> On 8/24/24 15:15, Willow Liquorice wrote:
> > e https://9front.org/
> > /Only three remote holes in the default install, in a heck of a long time!/
> > s/three/four
> > w https://9front.org/
> >
> >       - Willow
> >
> > On 24/08/2024 20:08, hiro wrote:
> >> some people did something that increases security apparently. so patch
> >> your shit.
> >>
> >> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
> >> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
> >> author: Jacob Moody <moody@posixcafe.org>
> >> date: Sat Aug 24 12:58:31 EDT 2024
> >>
> >> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
> >>
> >> Before this it was possible to Tauth and Tattach with one
> >> user name and then authenticate with factotum using a different
> >> user name. To fix this we now ensure that the uname matches the returned
> >> cuid from AuthInfo.
> >>
> >> This security bug is still pending a cute mascot and theme song.
> >>
> >>
> >> mein name ist hase. bye.
>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 21:21   ` Jacob Moody
  2024-08-24 21:25     ` adventures in9
@ 2024-08-24 21:37     ` sl
  2024-08-24 21:40       ` Willow Liquorice
  1 sibling, 1 reply; 12+ messages in thread
From: sl @ 2024-08-24 21:37 UTC (permalink / raw)
  To: 9front

> hjfs is not the default install, our number of holes is fine.

there is no default file system.

that claim on the website prints a different random number
every time it's loaded.

sl

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 21:37     ` sl
@ 2024-08-24 21:40       ` Willow Liquorice
  2024-08-24 21:55         ` Eli Cohen
  0 siblings, 1 reply; 12+ messages in thread
From: Willow Liquorice @ 2024-08-24 21:40 UTC (permalink / raw)
  To: 9front

Shit you're right lol.

inb4 that claim confuses some cybersecurity org with way too much free time.

On 24/08/2024 22:37, sl@stanleylieber.com wrote:
>> hjfs is not the default install, our number of holes is fine.
> 
> there is no default file system.
> 
> that claim on the website prints a different random number
> every time it's loaded.
> 
> sl

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 21:40       ` Willow Liquorice
@ 2024-08-24 21:55         ` Eli Cohen
  0 siblings, 0 replies; 12+ messages in thread
From: Eli Cohen @ 2024-08-24 21:55 UTC (permalink / raw)
  To: 9front

The ruler of the South is called Dissatisfaction. The ruler of the
North: Revolution. The ruler at the center of the world is Chaos.
Dissatisfaction and Revolution met from time to time in the territory
of Chaos, and Chaos treated them very hospitably. The two rulers
planned how to repay Chaos’s kindness. They said: ‘Men all have seven
holes to their bodies for seeing, hearing, eating and breathing. Our
friend here has none of these. Let us try to bore some holes in him.’
Each day they bored one hole. On the seventh day Chaos died.

On Sat, Aug 24, 2024 at 2:42 PM Willow Liquorice <willow@howhill.com> wrote:
>
> Shit you're right lol.
>
> inb4 that claim confuses some cybersecurity org with way too much free time.
>
> On 24/08/2024 22:37, sl@stanleylieber.com wrote:
> >> hjfs is not the default install, our number of holes is fine.
> >
> > there is no default file system.
> >
> > that claim on the website prints a different random number
> > every time it's loaded.
> >
> > sl

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 19:08 [9front] patch your shit hiro
  2024-08-24 20:15 ` Willow Liquorice
@ 2024-08-24 22:18 ` Jacob Moody
  2024-08-25  0:55   ` Jacob Moody
  2024-08-25  6:56 ` Kristo
  2 siblings, 1 reply; 12+ messages in thread
From: Jacob Moody @ 2024-08-24 22:18 UTC (permalink / raw)
  To: 9front

!WARNING!

As of the time of this writing (Sat Aug 24 22:17:26 GMT 2024) there is an issue
with this patch which causes hjfs to not permit none attaches. This is currently
being worked on and I suspect we'll have a solution within the next couple hours
but those running a hjfs CPU server may want to avoid updating immediately.
I will respond promptly to this thread once this bug has been patched, and I feel
it is safe to update these systems. I will provide a further write up once there is
a fix for the fix added.

- moody

On 8/24/24 14:08, hiro wrote:
> some people did something that increases security apparently. so patch
> your shit.
> 
> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
> author: Jacob Moody <moody@posixcafe.org>
> date: Sat Aug 24 12:58:31 EDT 2024
> 
> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
> 
> Before this it was possible to Tauth and Tattach with one
> user name and then authenticate with factotum using a different
> user name. To fix this we now ensure that the uname matches the returned
> cuid from AuthInfo.
> 
> This security bug is still pending a cute mascot and theme song.
> 
> 
> mein name ist hase. bye.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 22:18 ` Jacob Moody
@ 2024-08-25  0:55   ` Jacob Moody
  2024-08-25 10:27     ` rgl
  0 siblings, 1 reply; 12+ messages in thread
From: Jacob Moody @ 2024-08-25  0:55 UTC (permalink / raw)
  To: 9front

As of the time of this writing (Sun Aug 25 00:52:02 GMT 2024) the aforementioned
issue with the first patch has now been fixed thanks to cinap.
I can now suggest (and recommend) that individuals who are running hjfs systems update.
The update process is a bit more involved because the hjfs binary used for the root
file system on file servers is started from the paqfs.

This makes the full update process to be:
1. Update lib9p
2. Update hjfs
3. Update and install a new kernel for your system.

For an amd64 system this will look something like:
; cd /sys/src/lib9p && mk install
; cd /sys/src/cmd/hjfs && mk install
; cd /sys/src/9/pc64 && mk install
;
; # stash the known working kernel in case something goes awry...
; 9fs 9fat && cp /n/9/pc64 /n/9/pc64.bak
; cp /amd64/9pc64 /n/9/ && unmount /n/9 && unmount /n/9fat
; fshalt -r # reboot in to the new kernel

Now with the patches and update instructions out of the way,
I would like to talk more about the bug.

DESCRIPTION:

As the original commit message details, this is an issue where
lib9p did not verify that the user who was issuing the Tauth and
Rauth requests matched the one doing the authentication.
This effectively allows any user within the configured auth domain
to impersonate another user with some well placed 9p messages.

This could be abused in the following scenario:

* Alice is running a 9front hjfs file server and auth server combination, which allows 9p mounts over tcp/tls.
* Alice's hostowner for her server is 'alice'.
* Alice has previously created a user for Eve, who has limited access within the server.
* Eve creates a local install with a local user named 'alice'.
* While logged in to her local alice user, Eve fills her factotum with her valid 'eve' user for Alice's auth server.
* Eve, as her local 'alice', user mounts Alice's hjfs server.
* Due to this bug, Eve has now mounted Alice's hjfs as Alice's hostowner.

IMPACT:

This code was solely employed by hjfs and thus affects only hjfs.

- moody

On 8/24/24 17:18, Jacob Moody wrote:
> !WARNING!
> 
> As of the time of this writing (Sat Aug 24 22:17:26 GMT 2024) there is an issue
> with this patch which causes hjfs to not permit none attaches. This is currently
> being worked on and I suspect we'll have a solution within the next couple hours
> but those running a hjfs CPU server may want to avoid updating immediately.
> I will respond promptly to this thread once this bug has been patched, and I feel
> it is safe to update these systems. I will provide a further write up once there is
> a fix for the fix added.
> 
> - moody
> 
> On 8/24/24 14:08, hiro wrote:
>> some people did something that increases security apparently. so patch
>> your shit.
>>
>> ref: 07aa9bfeef55ca987d411115adcfbbd4390ecf34
>> parent: b05c74e7cb160f152e2f2cc2f6e0677763f8d57e
>> author: Jacob Moody <moody@posixcafe.org>
>> date: Sat Aug 24 12:58:31 EDT 2024
>>
>> lib9p: verify uname against returned AuthInfo from factotum (thanks humm)
>>
>> Before this it was possible to Tauth and Tattach with one
>> user name and then authenticate with factotum using a different
>> user name. To fix this we now ensure that the uname matches the returned
>> cuid from AuthInfo.
>>
>> This security bug is still pending a cute mascot and theme song.
>>
>>
>> mein name ist hase. bye.
> 


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-24 19:08 [9front] patch your shit hiro
  2024-08-24 20:15 ` Willow Liquorice
  2024-08-24 22:18 ` Jacob Moody
@ 2024-08-25  6:56 ` Kristo
  2024-08-26 14:32   ` hiro
  2 siblings, 1 reply; 12+ messages in thread
From: Kristo @ 2024-08-25  6:56 UTC (permalink / raw)
  To: 9front

On August 24, 2024 7:08:42 PM UTC, hiro <23hiro@gmail.com> wrote:
>This security bug is still pending a cute mascot and theme song.

Don't forget the CVE identifier.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-25  0:55   ` Jacob Moody
@ 2024-08-25 10:27     ` rgl
  0 siblings, 0 replies; 12+ messages in thread
From: rgl @ 2024-08-25 10:27 UTC (permalink / raw)
  To: 9front

thanks for the detailed explanation moody!

fixing this right now…


-rodri

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [9front] patch your shit
  2024-08-25  6:56 ` Kristo
@ 2024-08-26 14:32   ` hiro
  0 siblings, 0 replies; 12+ messages in thread
From: hiro @ 2024-08-26 14:32 UTC (permalink / raw)
  To: 9front

that's misquoted. it's not my words, but out of a copy&pasted commit
message from moody.
sorry for my original error of including a better EOF marker (i used a
double-linebreak but clearly that wasn't clear enough).

On Sun, Aug 25, 2024 at 8:57 AM Kristo <kristo.ilmari@gmail.com> wrote:
>
> On August 24, 2024 7:08:42 PM UTC, hiro <23hiro@gmail.com> wrote:
> >This security bug is still pending a cute mascot and theme song.
>
> Don't forget the CVE identifier.

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2024-08-26 14:34 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-08-24 19:08 [9front] patch your shit hiro
2024-08-24 20:15 ` Willow Liquorice
2024-08-24 21:21   ` Jacob Moody
2024-08-24 21:25     ` adventures in9
2024-08-24 21:37     ` sl
2024-08-24 21:40       ` Willow Liquorice
2024-08-24 21:55         ` Eli Cohen
2024-08-24 22:18 ` Jacob Moody
2024-08-25  0:55   ` Jacob Moody
2024-08-25 10:27     ` rgl
2024-08-25  6:56 ` Kristo
2024-08-26 14:32   ` hiro

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).