On Thu, 28 May 1998, Michael K. Johnson wrote:
>> In Red Hat Linux 5.1, linuxconf version 1.11r11-rh2 was inadvertantly
>> setuid root. This creates the potential for security holes that allow
>> attackers to gain root access to your machine. (Users of Red Hat
>> Linux 5.0 and earlier are NOT affected, as linuxconf was not included
>> with any previous version of Red Hat Linux.)
>>
>> If you have installed Red Hat Linux 5.1, you can immediately remove
>> the danger by logging in as root and running the command:
>>
>> chmod -s /bin/linuxconf
>>
>> We also recommend that you update to the latest version of linuxconf,
>> linuxconf-1.11r11-rh3, which fixes this bug.
>> Thanks to BUGTRAQ for finding and reporting this.
> the binary RPMs have always been shipped with suid linuxconf. Does this
> announce mean that linuxconf has been found insecure, so that is MUST not
> be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart
> from your posting.
I don't know if linuxconf has any security wholes (and I'm
not qualified to audit the sources).....
> The fact is, linuxconf's most valuable feature, to me, is the possibility
> to delegate user administration. If i drop SUID, i cannot do that anymore
> - right ? And i cannot use remote admin, too.
.... however even it linuxconf has some insecurities, you
could strip the "world" bits, chgrp it to something appropriate
("wheel"?) and leave it SUID/root.
I think most SUID programs should default to being configured
this way --- so that only members of the appropriately trusted
group is allowed to attempt exploits using it.
You could also further protect it by hiding it behind 'sudo'.
> So, if linuxconf is so insecure that one cannot dare having it suid, it
> almost becomes useless.
I don't think so. It still contains quite a bit of "knowlege"
about the various configuration files --- helping the sysadmin
create new DNS zone maps, and the like with a much easier
interface than a text editor and a pile of man pages.
If it can help sysadmin's by preventing stupid syntactically
mistakes in the sorts of config files that we rarely edit
it still may be quite valuable, even to experienced sysadmins
--- and even to some degrees that relate to improving security.
(Let me tell you about the stray space in a wuftpd ftpaccess
file that had some kiddies creating stray "warez" directories
some time. Don't follow those commas with spaces!).
> Could you (Michael, Jacques) please clarify about Linuxconf security ?
> It is fundamental to know whether the security risks are only from local
> users, or also from external attacks.
It would be nice to hear about specific, known security
concerns. It would be less comforting to hear that linuxconf
is "not known to contain any buffer overflow or race condition
bugs." What would inspire a bit more confidence is a couple
of independent reports from qualified auditors who specifically
looked for them.
> Is there somebody doing security auditing on Linuxconf ?
> Cheers, Sergio
I would really like to see Red Hat, Caldera, S.u.S.E. and
a few of the other commercial Linux distributors and vendors
pitch in to a comprehensive security audit of the whole
Linux source tree. Currently the OpenBSD camp is severely
whuppin' us in that area.
I would vote to have LI (Linux International) create a
special fund for it --- and solicit donations. If they do
--- I'll send money tomorrow.
--
Jim Dennis (800) 938-4078 consultingat_private
Proprietor, Starshine Technical Services: http://www.starshine.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:30 PDT