[4207] in bugtraq
Re: [linux-security] Re: tftpd bug (was: "Secure" tftpd source
daemon@ATHENA.MIT.EDU (Warner Losh)
Mon Mar 24 21:47:03 1997
Date: Mon, 24 Mar 1997 17:05:05 -0700
Reply-To: Warner Losh <imp@VILLAGE.ORG>
From: Warner Losh <imp@VILLAGE.ORG>
X-To: Alex Belits <abelits@phobos.illtel.denver.co.us>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 24 Mar 1997 14:48:53 PST."
<Pine.LNX.3.95.970324142427.19287A-100000@phobos.illtel.denver.co.us>
In message <Pine.LNX.3.95.970324142427.19287A-100000@phobos.illtel.denver.co.us> Alex Belits writes:
: It "assumes" that it's not running as root if no chroot directory is
: defined without checking or trying to change its uid. And since it does
: have option to chroot, it could be called as root, so the assumption is
: that if sysadmin doesn't use chroot, he will run it as nobody. Sysadmin
: that will change setup to remove for some reason chroot'ing option from
: tftpd line in inetd.conf very unlikely will check tftpd source and change
: userid at the same time. Manpage says "Because chroot is restricted to
: root, you must run tftpd as root. However, if you chroot, then tftpd will
: set its user id to nobody.", so it's not obvious that if -s option is
: removed, it will require sysadmin to change userid in inetd.conf. Maybe,
: freebsd sysadmins are assumed to know that if manpage doesn't explicitly
: says that userid will change to nobody, it won't happen even if -s option
: causes that, but in linux tftpd always changes its userid and thus just
: copying freebsd tftpd to linux with default configs creates security hole.
The man page for FreeBSD clearly states that you should run it with
the lowest possible user id you have:
The server should have the user ID with the lowest possible privilege.
Which sounds fairlyt clear to me. The man page is also clear that if
you aren't chrooting, then it won't setuid to nobody:
However, if you chroot, then tftpd
will set its user id to nobody.
which doesn't say anything at all about what it does for the
non-chroot case, which implies that it doesn't do anything for the
non-root case. Most people that know how to read unix man pages are
used to this. For example, chroot(2) doesn't say that the current
directory remains unchanged, yet it does.[*]
However, in light of the confusion, I'm adding langauge to the manual
that warns people to only run as root if you are using chroot. I
think it may make sense to also always setuid nobody if euid == 0.
This does pinch off some functionality, but not a desirable
functionality.
As to the wisdom of blindly copying stuff from one OS to another,
well, that shouldn't be done. It is insecure and always has been.
What is safe and secure on one OS may not necessarily be safe and
secure on another. Whenever you briong stuff from one OS to another
you must review the code to make sure that it will function correctly
and securely (if that is a goal). Even copying stuff between OpenBSD
and FreeBSD (for example) can cause security problems if not done
carefully.
Warner
[*] Contrast this with chroot(8) which does chainge the directory.
