From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: Re: crypt* files in crypt directory
Date: Thu, 9 Aug 2012 01:48:04 -0400 [thread overview]
Message-ID: <20120809054804.GO27715@brightrain.aerifal.cx> (raw)
In-Reply-To: <20120809040432.GA24985@openwall.com>
On Thu, Aug 09, 2012 at 08:04:32AM +0400, Solar Designer wrote:
> On Wed, Aug 08, 2012 at 11:25:27PM -0400, Rich Felker wrote:
> > On Thu, Aug 09, 2012 at 05:51:04AM +0400, Solar Designer wrote:
> > > On Wed, Aug 08, 2012 at 09:06:23AM -0400, Rich Felker wrote:
> > > > Actually this brings up a HUGE DoS vuln in blowfish crypt: with tcb
> > > > passwords, a malicious user can put a password with count=31 (it's
> > > > logarithmic, so this means 2^31) in their tcb shadow file.
> > >
> > > Yes, but only after having compromised group shadow. If a user does
> > > compromise group shadow, I'd appreciate learning of that - even if via
> > > being DoS'ed. ;-)
>
> I think I need to clarify that the above is my own preference and some
> sysadmin's preference might be different. This is a reason why we deal
> with whatever DoS attacks may be easily dealt with anyway - those with
> non-regular files.
>
> For DoS via high iteration count, I see no good solution other than to
> accept this as a possibility for when group shadow is compromised.
Well it's also a possibility if you're using crypt to validate
passwords where both the hash and password are provided by a third
party. I think that's a major problem. I generally frown upon
interfaces where the run time is non-obviously superlinear in the
input size.
I don't see any down-size to limiting the iteration count if the limit
is reasonable. For instance if the limit were such that higher counts
would take more than 1 second on a theoretical 50 GHz variant of a
modern cpu (which is faster than a single core will EVER be able to
get), there's no way they would be practical to use, and there's no
sense in supporting them except to satisfy a fetish for "no arbitrary
limits" even when it conflicts with security and robustness. This
would at least ensure the function can't get stuck running for
hours/days/weeks at a time.
The hard part is putting the limit at some point a good bit lower.
> > OK, so your intent is to require sgid-shadow utilities to update
> > passwords?
>
> Yes.
>
> /usr/bin/passwd and (if enabled) /usr/bin/chage on Owl are SGID shadow.
If reading your own password hash also requires sgid-shadow, then
screen is sgid-shadow. Which means any user can easily get full shadow
group perms (since screen is full of vulns if it's running suid/sgid)
and thus you might as well not have had the group protection to begin
with. Same applies to things like xlock.
> That's our preference (for Owl) too. I think you misunderstood our use
> of group shadow. It does not "cause other users' accounts to be
> compromised" if it is compromised.
Indeed, I did misunderstand. Your way is not as bad as it could be,
but I'm still not very comfortable with the security implications of
it..
> > There's no reason applications should not be able to assume they can
> > safely call crypt where both the hash/salt/setting and key were
> > provided by an untrusted party.
>
> There is such a reason for almost two decades now - since BSDi's
> introduction of iteration counts in "setting" strings in 1993 or so.
> That's the reality by now, and I think we should not be trying to change
> it in musl.
Thanks for bringing this up. I think the same limiting logic is
required there. And if there's going to be a way to configurably
override the limit, it should be mostly/entirely shareable.
> As to untrusted keys (passwords/phrases), I agree with you. Those kinds
> of issues should be avoided. glibc's uses of alloca() in SHA-crypt were
> recently patched for that reason.
Good analogy. And I think this one likewise needs to be addressed and
fixed.
Rich
next prev parent reply other threads:[~2012-08-09 5:48 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-21 15:23 Łukasz Sowa
2012-07-21 17:11 ` Solar Designer
2012-07-21 20:17 ` Rich Felker
2012-07-22 16:23 ` Łukasz Sowa
2012-07-25 7:57 ` Rich Felker
2012-08-08 2:24 ` Rich Felker
2012-08-08 4:42 ` Solar Designer
2012-08-08 5:28 ` Rich Felker
2012-08-08 6:27 ` Solar Designer
2012-08-08 7:03 ` Daniel Cegiełka
2012-08-08 7:24 ` Solar Designer
2012-08-08 7:42 ` Daniel Cegiełka
2012-08-08 21:48 ` Rich Felker
2012-08-08 23:08 ` Isaac Dunham
2012-08-08 23:24 ` John Spencer
2012-08-09 1:03 ` Isaac Dunham
2012-08-09 3:16 ` Rich Felker
2012-08-09 3:36 ` Solar Designer
2012-08-09 7:13 ` orc
2012-08-09 7:28 ` Rich Felker
2012-08-09 7:29 ` Solar Designer
2012-08-09 10:53 ` Solar Designer
2012-08-09 11:58 ` Szabolcs Nagy
2012-08-09 16:43 ` Solar Designer
2012-08-09 17:30 ` Szabolcs Nagy
2012-08-09 18:22 ` Rich Felker
2012-08-09 23:21 ` Rich Felker
2012-08-10 17:04 ` Solar Designer
2012-08-10 18:06 ` Rich Felker
2012-08-09 21:46 ` crypt_blowfish integration, optimization Rich Felker
2012-08-09 22:21 ` Solar Designer
2012-08-09 22:32 ` Rich Felker
2012-08-10 17:18 ` Solar Designer
2012-08-10 18:08 ` Rich Felker
2012-08-10 22:52 ` Solar Designer
2012-08-08 7:52 ` crypt* files in crypt directory Szabolcs Nagy
2012-08-08 13:06 ` Rich Felker
2012-08-08 14:30 ` orc
2012-08-08 14:53 ` Szabolcs Nagy
2012-08-08 15:05 ` orc
2012-08-08 18:10 ` Rich Felker
2012-08-09 1:51 ` Solar Designer
2012-08-09 3:25 ` Rich Felker
2012-08-09 4:04 ` Solar Designer
2012-08-09 5:48 ` Rich Felker [this message]
2012-08-09 15:52 ` Solar Designer
2012-08-09 17:59 ` Rich Felker
2012-08-09 21:17 ` Rich Felker
2012-08-09 21:44 ` Solar Designer
2012-08-09 22:08 ` Rich Felker
2012-08-09 23:33 ` Rich Felker
2012-08-09 6:03 ` Rich Felker
-- strict thread matches above, loose matches on Subject: below --
2012-07-17 9:40 Daniel Cegiełka
2012-07-17 17:51 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120809054804.GO27715@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).