3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
99 lines
4 KiB
Text
99 lines
4 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-02:24.k5su Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: k5su utility does not honor `wheel' group
|
|
|
|
Category: kerberos5
|
|
Module: kerberos5/usr.bin/k5su
|
|
Announced: 2002-05-20
|
|
Credits: jmallet@FreeBSD.org
|
|
Affects: FreeBSD 4.4-RELEASE
|
|
FreeBSD 4.5-RELEASE
|
|
FreeBSD-STABLE prior to the correction date
|
|
Corrected: 2002-05-15 12:51:30 UTC (RELENG_4)
|
|
2002-05-15 12:56:21 UTC (RELENG_4_5)
|
|
2002-05-15 13:04:00 UTC (RELENG_4_4)
|
|
FreeBSD only: YES
|
|
|
|
I. Background
|
|
|
|
The k5su utility is a SU utility similar to su(1), and is used to
|
|
switch privileges after authentication using Kerberos 5 or the local
|
|
passwd(5) file. k5su is installed as part of the `krb5' distribution,
|
|
or when building from source with MAKE_KERBEROS5 set. Neither of
|
|
these are default settings.
|
|
|
|
II. Problem Description
|
|
|
|
Historically, the BSD SU utility only allows users who are members
|
|
of group `wheel' (group-ID 0) to obtain superuser
|
|
privileges. The k5su utility, however, does not honor this convention
|
|
and does not verify group membership if a user has successfully
|
|
authenticated.
|
|
|
|
k5su also lacks other features of su(1), such as checking for
|
|
password expiration, implementing login classes, and checking
|
|
for the target user's login shell in /etc/shells.
|
|
|
|
III. Impact
|
|
|
|
Contrary to the expectations of many BSD system administrators, users
|
|
not in group `wheel' may use k5su to attempt to obtain superuser
|
|
privileges. Note that this would require knowledge of the root
|
|
account password, or an explicit entry in the Kerberos 5 `.k5login'
|
|
ACL for the root account.
|
|
|
|
IV. Solution
|
|
|
|
Remove the set-user-ID bit from the k5su utility:
|
|
|
|
# chmod u-s /usr/bin/k5su
|
|
|
|
This will completely disable k5su.
|
|
|
|
Sites which wish to use Kerberos 5 authentication for SU and are
|
|
comfortable with its limitations may choose to leave the set-user-ID
|
|
bit enabled. As of the correction date, FreeBSD (including the
|
|
upcoming 4.6-RELEASE) will install k5su if requested, but the
|
|
set-user-ID bit will not be enabled by default. See also the
|
|
ENABLE_SUID_K5SU option in make.conf(5).
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the revision numbers of each file that was
|
|
corrected in FreeBSD.
|
|
|
|
Path Revision
|
|
Branch
|
|
- -------------------------------------------------------------------------
|
|
src/UPDATING
|
|
RELENG_4 1.73.2.67
|
|
RELENG_4_5 1.73.2.50.2.12
|
|
RELENG_4_4 1.73.2.43.2.12
|
|
src/etc/defaults/make.conf
|
|
RELENG_4 1.97.2.65
|
|
RELENG_4_5 1.97.2.59.2.1
|
|
RELENG_4_4 1.97.2.58.2.1
|
|
src/kerberos5/usr.bin/k5su/Makefile
|
|
RELENG_4 1.73.2.67
|
|
RELENG_4_5 1.97.2.59.2.1
|
|
RELENG_4_4 1.1.2.2.2.1
|
|
src/share/man/man5/make.conf.5
|
|
RELENG_4 1.12.2.16
|
|
RELENG_4_5 1.12.2.12.2.1
|
|
RELENG_4_4 1.12.2.10.2.1
|
|
- -------------------------------------------------------------------------
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.7 (FreeBSD)
|
|
Comment: FreeBSD: The Power To Serve
|
|
|
|
iQCVAwUBPOkdtFUuHi5z0oilAQFd1wP8CUxrBx+DJhQZqLpOocpF4yd8IWclz4Uu
|
|
8I8LT5RaWNKMrOt9FB6/jGthRFNqTL72XeDaezxT72IFSUHIpF9wI87aKNVDknPp
|
|
vQxh0Pr8/8EqvOLhvT6Hu/20xKrBZe2bht/lUQ/HxrgriaZteTAMfMYL653xgP5U
|
|
M+0f/mfSm3w=
|
|
=lTOo
|
|
-----END PGP SIGNATURE-----
|