From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/1489 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Re: crypt* files in crypt directory Date: Thu, 9 Aug 2012 13:59:28 -0400 Message-ID: <20120809175928.GR27715@brightrain.aerifal.cx> References: <20120808022421.GE27715@brightrain.aerifal.cx> <20120808044235.GA22470@openwall.com> <20120808075233.GJ30810@port70.net> <20120808130622.GJ27715@brightrain.aerifal.cx> <20120809015104.GA24515@openwall.com> <20120809032527.GN27715@brightrain.aerifal.cx> <20120809040432.GA24985@openwall.com> <20120809054804.GO27715@brightrain.aerifal.cx> <20120809155254.GA28303@openwall.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: dough.gmane.org 1344535135 26943 80.91.229.3 (9 Aug 2012 17:58:55 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 9 Aug 2012 17:58:55 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-1490-gllmg-musl=m.gmane.org@lists.openwall.com Thu Aug 09 19:58:55 2012 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1SzX0S-0000Y1-Vf for gllmg-musl@plane.gmane.org; Thu, 09 Aug 2012 19:58:49 +0200 Original-Received: (qmail 24105 invoked by uid 550); 9 Aug 2012 17:58:47 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 24096 invoked from network); 9 Aug 2012 17:58:47 -0000 Content-Disposition: inline In-Reply-To: <20120809155254.GA28303@openwall.com> User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.linux.lib.musl.general:1489 Archived-At: On Thu, Aug 09, 2012 at 07:52:55PM +0400, Solar Designer wrote: > > > /usr/bin/passwd and (if enabled) /usr/bin/chage on Owl are SGID shadow. > > > > If reading your own password hash also requires sgid-shadow, then > > screen is sgid-shadow. Which means any user can easily get full shadow > > group perms (since screen is full of vulns if it's running suid/sgid) > > and thus you might as well not have had the group protection to begin > > with. Same applies to things like xlock. > > No, screen is SGID screen, and group screen provides access to the > tcb_chkpwd and utempter helpers, which are SGID shadow and utmp, > respectively. OK, so basically if you have screen installed, any user has permission to run tcb_chkpwd any way they like (because essentially every user now belongs to group screen). > xlock, if installed, may be made SGID chkpwd (a group provided on Owl by > default for that possible use), which provides access to tcb_chkpwd > only. This is what doc/REDHAT (advice on using Red Hat's packages on > Owl) suggests. Being a server distro, we don't provide X ourselves. This sounds fairly reasonable, but given the history of vulns in xlock, it probably means all users now belong to group chkpwd. > Even if group screen or chkpwd is compromised, this only allows for > direct attacks on tcb_chkpwd - and it's a rather small program (5 KB > binary). This does not allow for group shadow access without having > found and exploited a vulnerability in tcb_chkpwd first. > > Obviously, certain vulnerabilities in the dynamic linker, libc, or/and > the kernel would allow to compromise any SGID program's target group. > That would be nasty, but not fatal - e.g., DoS attacks like what we're > discussing would be possible. Have you considered changing tcb_chkpwd to communicate with a daemon over a unix socket rather than being sgid? That reduced the number of input channels an attacker has from N (which grows with time since Linux keeps adding more and more ridiculous amounts of state processes can inherit) to 1 (the socket). I think the change could be made transparently to programs which use it. Rich