On Thu, 28 May 1998, Michael K. Johnson wrote: >> In Red Hat Linux 5.1, linuxconf version 1.11r11-rh2 was inadvertantly >> setuid root. This creates the potential for security holes that allow >> attackers to gain root access to your machine. (Users of Red Hat >> Linux 5.0 and earlier are NOT affected, as linuxconf was not included >> with any previous version of Red Hat Linux.) >> >> If you have installed Red Hat Linux 5.1, you can immediately remove >> the danger by logging in as root and running the command: >> >> chmod -s /bin/linuxconf >> >> We also recommend that you update to the latest version of linuxconf, >> linuxconf-1.11r11-rh3, which fixes this bug. >> Thanks to BUGTRAQ for finding and reporting this. > the binary RPMs have always been shipped with suid linuxconf. Does this > announce mean that linuxconf has been found insecure, so that is MUST not > be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart > from your posting. I don't know if linuxconf has any security wholes (and I'm not qualified to audit the sources)..... > The fact is, linuxconf's most valuable feature, to me, is the possibility > to delegate user administration. If i drop SUID, i cannot do that anymore > - right ? And i cannot use remote admin, too. .... however even it linuxconf has some insecurities, you could strip the "world" bits, chgrp it to something appropriate ("wheel"?) and leave it SUID/root. I think most SUID programs should default to being configured this way --- so that only members of the appropriately trusted group is allowed to attempt exploits using it. You could also further protect it by hiding it behind 'sudo'. > So, if linuxconf is so insecure that one cannot dare having it suid, it > almost becomes useless. I don't think so. It still contains quite a bit of "knowlege" about the various configuration files --- helping the sysadmin create new DNS zone maps, and the like with a much easier interface than a text editor and a pile of man pages. If it can help sysadmin's by preventing stupid syntactically mistakes in the sorts of config files that we rarely edit it still may be quite valuable, even to experienced sysadmins --- and even to some degrees that relate to improving security. (Let me tell you about the stray space in a wuftpd ftpaccess file that had some kiddies creating stray "warez" directories some time. Don't follow those commas with spaces!). > Could you (Michael, Jacques) please clarify about Linuxconf security ? > It is fundamental to know whether the security risks are only from local > users, or also from external attacks. It would be nice to hear about specific, known security concerns. It would be less comforting to hear that linuxconf is "not known to contain any buffer overflow or race condition bugs." What would inspire a bit more confidence is a couple of independent reports from qualified auditors who specifically looked for them. > Is there somebody doing security auditing on Linuxconf ? > Cheers, Sergio I would really like to see Red Hat, Caldera, S.u.S.E. and a few of the other commercial Linux distributors and vendors pitch in to a comprehensive security audit of the whole Linux source tree. Currently the OpenBSD camp is severely whuppin' us in that area. I would vote to have LI (Linux International) create a special fund for it --- and solicit donations. If they do --- I'll send money tomorrow. -- Jim Dennis (800) 938-4078 consultingat_private Proprietor, Starshine Technical Services: http://www.starshine.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:30 PDT