the security problem with the pseudo nfsd of cfs: cfsd uses the seteuid call to change to the users id and doesn't have to care for premissions any more.. after the users request has been handled it changes back to root. but while processing the users request euid=users id and the user is able to kill cfsd or do whatever he wants with the process.. for example mmaping /proc/<cfsdpid>/mem to memory and change the code. cfsd seteuid's itself to root again after the file access and wonders why it should execute "echo * * > /root/.rhosts" *g*. i currently figured out a sollution for linux only - the setfs{uid,gid} call. the man page describes exactly this security problem: --- An explict call to setfsuid is usually only used by pro- grams such as the Linux NFS server that need to change what user ID is used for file access without a correspond- ing change in the real and effective user IDs. A change in the normal user IDs for a program such as the NFS server is a security hole that can expose it to unwanted signals from other user IDs. --- --- cfs_orig.h Sat Feb 21 01:00:51 1998 +++ cfs.h Sat Feb 21 01:02:47 1998 @@ -200,6 +200,10 @@ #define become(x) ((x)==NULL?(setuidx(ID_EFFECTIVE | ID_REAL,0)||setgidx(ID_EFFECTIVE|ID_REAL,0)) :\ (setgidx(ID_EFFECTIVE|ID_REAL,rgid(x)) || setuidx(ID_EFFECTIVE|ID_REAL, ruid(x)))) #else +#ifdef linux +#define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\ + (setfsgid(rgid(x)) || setfsuid(ruid(x)))) +#else #define become(x) ((x)==NULL?(seteuid(0)||setegid(0)) :\ (setegid(rgid(x)) || seteuid(ruid(x)))) #endif this should fix the problem for linux.. i haven't tested nor compiled it, cause i'm really to tired for this know ;) bye, therapy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:52 PDT