[485] in linux-security and linux-alert archive
Re: Fwd: CERT Advisory CA-95:14 - Telnetd Environment Vulnerability
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Fri Nov 10 14:16:03 1995
Date: Fri, 10 Nov 1995 12:56:21 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: jacob@esisys.com (Jacob Langseth)
CC: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of Thu, November 9, 1995 21:23:21 -0500
"JL" == Jacob Langseth <jacob@esisys.com> writes:
[Please note that all of my statements/patches are for the 'updatedb'
that shipped with the last pre-3.0 (i.e. non-ELF) release of Slackware.
--Jeff]
JL> Also, while I'm posting, there is a security flaw with the updatedb
JL> command.
JL> According to the manpages, updatedb executes as daemon by default
JL> (to preserve directory permissions).
It does execute as "daemon" when searching NFS-mounted directories, if
you add any to the search path inside the 'updatedb' script.
JL> Unfortunately it fails to set its UID to daemon's before executing
JL> the find, and (at least in my Slackware distribution) updatedb is
JL> ran via a cronjob as ROOT. This allows anyone using the 'locate'
JL> command to view the entire file system.
It su's to "daemon" internally before doing the 'find' on NFS-mounted
filesystems, but not for locally-mounted FS's.
JL> While this isn't a direct security threat, it does effectively negate
JL> directory read permissions and should be fixed.
JL> To have updatedb to run as daemon:
JL> 1) relocate the updatedb command from root's cronjob to daemon's
JL> 2) chown -R daemon.daemon /var/spool/locate
Or apply this patch, which is a summary of the (incremental) RCS changes
that I've made to 'updatedb' against the Slackware distributed script,
with some "localisms" (such as search/exclude paths) removed:
-----snip snip-----
--- updatedb 1995/11/10 16:28:50 1.0
+++ updatedb 1995/11/10 17:38:03
@@ -33,6 +37,7 @@
--netpaths) NETPATHS="$val" ;;
--prunepaths) PRUNEPATHS="$val" ;;
--output) LOCATE_DB="$val" ;;
+ --locuser) LOCUSER="$val" ;;
--netuser) NETUSER="$val" ;;
--old-format) old=yes ;;
--version) echo "GNU updatedb version 4.1"; exit 0 ;;
@@ -69,8 +74,11 @@
: ${TMPDIR=/usr/tmp}
fi
+# The user to search local directories as.
+: ${LOCUSER=nobody}
+
# The user to search network directories as.
-: ${NETUSER=daemon}
+: ${NETUSER=nobody}
# The directory containing the subprograms.
: ${LIBEXECDIR=/usr/libexec}
@@ -94,8 +102,8 @@
# FIXME figure out how to sort null-terminated strings, and use -print0.
{
if test -n "$SEARCHPATHS"; then
- $find $SEARCHPATHS \
- \( -fstype nfs -o -fstype NFS -o -type d -regex "$PRUNEREGEX" \) -prune -o -print
+ su $LOCUSER -c \
+ "$find $SEARCHPATHS \\( -fstype nfs -o -fstype proc -o -fstype msdos -o -fstype iso9660 -o -type d -regex \"$PRUNEREGEX\" \\) -prune -o -print"
fi
if test -n "$NETPATHS"; then
-----snip snip-----
This allows you to keep it in root's crontab and leave the database
files/directories owned by root. Please note that I run the find's as
"nobody" rather than as "daemon."
Also, my patch tells it to exclude "proc", "msdos", and "iso9660" FS's
since I don't want them in my locator database.
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | jeff.uphoff@linux.org
Charlottesville, VA, USA | http://linux.nrao.edu/~juphoff/
