tech-userlevel: Re: cvs commit: src/lib/libc/db/hash hash

Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
To: Justin T. Gibbs <gibbs@freefall.freebsd.org>
From: Karl Denninger <karl@Mcs.Net>
List: tech-userlevel
Date: 10/18/1996 00:42:18

> >Forcing ANYTHING that touches authentication to refuse to dump core is not
> >the answer.  Yet that is the only answer that you leave available.
> >
> >Worse, that doesn't even BEGIN to address the problmes that come about if
> >you can ptrace() the process -- which, for something like this, is a REAL
> >problem.
> >
> >You MUST be able to *know* that all privileged data has been nuked BEFORE
> >you relinquish privileged operation.  This isn't an option folks -- its a
> >REQUIREMENT for security reasons.
> >
> >Figure it out.  ftpd is not the only affected program here; just the most
> >commonly known and exploited.
> 
> Did you miss a portion of this thread?  I think that Jason already
> addressed all of these issues.

I don't think so.  Please enlighten me.

> The program can core dump, the core dump will simply only be readable
> by root.

IMHO, and sorry for being blunt, but that's a crock.  So now you're going 
to drop a core file in a user's directory that's root and mode 700 -- 
regardless of how umask is set, etc?

Its better to not have the problem in the first place.

> There are already protections enforced to disallow non-priveledged users
> from ptracing programs that are setuid/setgid.

A program which calls setuid() isn't SUID any more.  Once done, that's
terminal (and can't be "recalled").

The problem here is that authentication data must be able to be *known*
destroyed in the data segment BEFORE a non-privileged user can get to the 
image of the data segment via any means -- ptrace, procfs, core dumps, etc.

If you do that, you get rid of the entire problem -- and if done in the
libraries its not just ftpd that this fixes.

What's the objection to clearing possibly-contaminated structures when a 
program signifies its done with a privileged resource?

> --
> Justin T. Gibbs
> ===========================================
>   FreeBSD: Turning PCs into workstations
> ===========================================

--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1 from $600 monthly; speeds to DS-3 available
			     | 23 Chicagoland Prefixes, 13 ISDN, much more
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax:   [+1 312 248-9865]     | Home of Chicago's only FULL Clarinet feed!