tech-kern: Re: Addition to force open to open only regular files

Subject: Re: Addition to force open to open only regular files
To: None <woods@weird.com>
From: John Darrow <John.P.Darrow@wheaton.edu>
List: tech-kern
Date: 11/20/2000 16:52:10
Greg A. Woods <woods@weird.com> wrote:
>[ On Monday, November 20, 2000 at 12:14:38 (-0800), Greywolf wrote: ]
>> Subject: Re: Addition to force open to open only regular files 
>>
>> Excuse me.  He *did* show you ACCESS.
>
>Well excuse me too, but ACCESS in this context means reading and/or
>writing of the *contents* of a file -- i.e. the protected data itself,
>not its *attributes*.  Yes, I know it's touchy to use security-style
>terms when speaking in a Unix filesystem context, but....

Greg, you completely missed it.  He *did* show you ACCESS, the /etc/passwd
file was _READ_, and _that_ is what updated its 'last update' timestamp.

But since you didn't understand that, here's a clearer example:

[6] jdarrow@jdarrowpiii:ttyp2:~:$ TZ=/etc/passwd ktrace date
Mon Nov 20 22:41:51 GMT 2000
[7] jdarrow@jdarrowpiii:ttyp2:~:$ kdump ktrace.out
 26634 ktrace   EMUL  "netbsd"
 26634 ktrace   RET   ktrace 0
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/xtra/jdarrow/bin/date"
 26634 ktrace   RET   execve -1 errno 2 No such file or directory
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/xtra/jdarrow/bin/i386/date"
 26634 ktrace   RET   execve -1 errno 2 No such file or directory
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/sbin/date"
 26634 ktrace   RET   execve -1 errno 2 No such file or directory
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/usr/sbin/date"
 26634 ktrace   RET   execve -1 errno 2 No such file or directory
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/usr/local/sbin/date"
 26634 ktrace   RET   execve -1 errno 2 No such file or directory
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/usr/pkg/sbin/date"
 26634 ktrace   RET   execve -1 errno 2 No such file or directory
 26634 ktrace   CALL  execve(0xbfbfd008,0xbfbfd494,0xbfbfd49c)
 26634 ktrace   NAMI  "/bin/date"
 26634 date     EMUL  "netbsd"
 26634 date     RET   execve JUSTRETURN
 26634 date     CALL  issetugid
 26634 date     RET   issetugid 0
 26634 date     CALL  gettimeofday(0xbfbfd030,0)
 26634 date     RET   gettimeofday 0
 26634 date     CALL  __sysctl(0xbfbfcf94,0x2,0xbfbfcf8c,0xbfbfcf90,0,0)
 26634 date     RET   __sysctl 0
 26634 date     CALL  readlink(0x8057494,0xbfbfcfc8,0x3f)
 26634 date     NAMI  "/etc/malloc.conf"
 26634 date     RET   readlink -1 errno 2 No such file or directory
 26634 date     CALL  mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
 26634 date     RET   mmap 1208320000/0x48058000
 26634 date     CALL  break(0x805a3e4)
 26634 date     RET   break 0
 26634 date     CALL  break(0x805a3e4)
 26634 date     RET   break 0
 26634 date     CALL  break(0x805c000)
 26634 date     RET   break 0
 26634 date     CALL  break(0x805c000)
 26634 date     RET   break 0
 26634 date     CALL  break(0x805e000)
 26634 date     RET   break 0
 26634 date     CALL  access(0xbfbfde13,0x4)
 26634 date     NAMI  "/etc/passwd"
 26634 date     RET   access 0
 26634 date     CALL  open(0xbfbfde13,0,0xbfbfde13)
 26634 date     NAMI  "/etc/passwd"
 26634 date     RET   open 3
 26634 date     CALL  read(0x3,0xbfbfad08,0x1f08)
 26634 date     GIO   fd 3 read 981 bytes
       "root:*:0:0:Charlie &:/root:/bin/csh
        toor:*:0:0:Bourne-again Superuser:/root:/bin/sh
        daemon:*:1:31:The devil himself:/:/sbin/nologin
        operator:*:2:5:System &:/usr/guest/operator:/sbin/nologin
        bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
        news:*:6:8:Network News:/var/spool/news:/sbin/nologin
        games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
        postfix:*:12:12:Postfix pseudo-user:/var/spool/postfix:/sbin/nologin
        uucp:*:66:1:UNIX-to-UNIX Copy:/var/spool/uucppublic:/usr/libexec/uucp/\
        uucico
        jdarrow:*:248:0:John Darrow:/xtra/jdarrow:/usr/pkg/bin/bash
        jdarrowd:*:248:0:John Darrow:/facstaff/staff/jdarrow:/usr/pkg/bin/bash
        jdarrowh:*:248:0:John Darrow:/home/jdarrow:/usr/pkg/bin/bash
        jdarrowr:*:248:0:John Darrow:/:/usr/pkg/bin/bash
        jdarrowx:*:248:0:John Darrow:/xtra/jdarrow:/usr/pkg/bin/bash
        ingres:*:267:74:& Group:/usr/ingres:/sbin/nologin
        falken:*:32766:31:Prof. Stephen &:/usr/games:/usr/games/wargames
        nobody:*:32767:39:Unprivileged user:/nonexistent:/sbin/nologin
       "
 26634 date     RET   read 981/0x3d5
 26634 date     CALL  close(0x3)
 26634 date     RET   close 0
 26634 date     CALL  open(0xbfbfcc00,0,0x805c000)
 26634 date     NAMI  "/usr/share/zoneinfo/GMT"
 26634 date     RET   open 3
 26634 date     CALL  read(0x3,0xbfbfacf8,0x1f08)
 26634 date     GIO   fd 3 read 56 bytes
       "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^A\0\0\0\^A\0\0\0\0\0\0\0\0\
        \0\0\0\^A\0\0\0\^D\0\0\0\0\0\0GMT\0\0\0"
 26634 date     RET   read 56/0x38
 26634 date     CALL  close(0x3)
 26634 date     RET   close 0
 26634 date     CALL  __fstat13(0x1,0xbfbfcd5c)
 26634 date     RET   __fstat13 0
 26634 date     CALL  break(0x805e000)
 26634 date     RET   break 0
 26634 date     CALL  break(0x806e000)
 26634 date     RET   break 0
 26634 date     CALL  ioctl(0x1,TIOCGETA,0xbfbfcd98)
 26634 date     RET   ioctl 0
 26634 date     CALL  write(0x1,0x805e000,0x1d)
 26634 date     GIO   fd 1 wrote 29 bytes
       "Mon Nov 20 22:41:51 GMT 2000
       "
 26634 date     RET   write 29/0x1d
 26634 date     CALL  exit(0)

Notice that lovely little block there in the middle where it _completely
reads_ /etc/passwd?  Now imagine I had put one of these do-something-on-open
tape devices (or whatever else we were discussing) into TZ instead of
/etc/passwd, and then run a setuid program which does accesses the date
anywhere in its code (thus causing TZ to be read...)

>Furthermore, as we all know, the timestamp attributes of a file can be
>(and except for some applications like CVS, always are) safely examined
>and compared *without* the use of $TZ.

>Note also that CVS in particular explicitly does not support being
>executed as a set-ID program *and* it even rejects being run as root.

That's funny... I run CVS as root all the time...

>> # Sure if some idiot writes a shell script that trys to interpret the
>> # timestamps as modified by TZ then they'll get in trouble.  But that
>> # would be a really idiotic thing to do now, wouldn't it.
>> 
>> If they had something that could read a protected file via TZ,
>> that might not be so idiotic.
>
>About the only way $TZ could be used to read a protected file would be
>if there's either a bug in the timezone libraries, or if there's a way
>that either /etc/localtime or the directories and files it should point
>to can be compromised.

>(Unlike $HOSTALIASES which explicitly allows the user to specify any
>filename to be opened and read as a list of host aliases, and then
>closed thus making it trivial to compromise the contents of a tape by
>causing a spurious rewind at the wrong time and also potentially making
>it possible to reveal the contents of any file accessible by the
>effective-ID of a set-ID program.)

Um... see above...  TZ is treated as a filename, just like HOSTALIASES...
now try deprecating TZ and see how many people scream...

jdarrow

-- 
John Darrow - Senior Technical Specialist               Office: 630/752-5201
Computing Services, Wheaton College, Wheaton, IL 60187  Fax:    630/752-5968
Alphapage: 6303160707@alphapage.airtouch.com            Pager:  630/316-0707
Email:     John.P.Darrow@wheaton.edu