[7195] in bugtraq
Re: ncurses 4.1 security bug
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Jul 9 14:37:00 1998
Date: Wed, 8 Jul 1998 10:40:09 -0400
Reply-To: perry@piermont.com
From: "Perry E. Metzger" <perry@PIERMONT.COM>
X-To: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 08 Jul 1998 13:45:58 BST."
<m0yttbk-000aQFC@the-village.bc.nu>
Alan Cox writes:
> > Duncan Simpson writes:
> > > ncurses version 4.1 fails to drop priviledges before opening the
> > > termcap database and you can set any file(s) you like.
> >
> > This is not a bug. ncurses is a *library*, not a *program*. It is up
> > to suid programs to drop privileges, not every call that invokes them --
> > or are you going to declare the fact that fopen() doesn't drop
> > privileges a "bug"?
>
> Depends how you care to look at it. I can agree with your reasoning.
>
> In which case there is a bug in
> screen (as root so very bad)
> dosemu
> mutt
> several bsd-games packages
There are indeed many such bugs.
SUID programs should drop privs almost immediately. The number of
possible places such issues can lurk is semi-infinite. You'll never
get all of them. You *can*, however, drop privs almost instantly.
> anywhere on the planet today. Also of course any setuid/setgid applications
> using NLS or TZ. The latter is far nastier because
>
> 1. The libraries will use message catalogs and may open them before
> you do
In NetBSD, the message catalogs we use don't work that way, so I
suppose I'm not familiar with this issue.
> 2. If you are using C++ your constructors can't call libc in this case
> as the order of constructors isnt defined
???
Why not just drop privs at the beginning as you are supposed to?
> 4. Dropping TZ or NLS when setuid is really obnoxious - Japanese users
> will love having mutt, screen, and things like su in English.
So don't drop them -- drop privs *first*.
Sigh.
Perry
