os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
doc/share/security/advisories/FreeBSD-SA-02:07.k5su.asc
Bjoern A. Zeeb 3571e53040 Import FreeBSD Security Advisories and Errata Notices, as well as their 
patches for easier mirroring, to eliminate a special copy, to make
www.freebsd.org/security a full copy of security.freebsd.org and be
eventually be the same.

For now files are just sitting there.   The symlinks are missing.

Discussed on:	www (repository location)
Discussed with:	simon (so)
2012-08-15 06:19:40 +00:00

186 lines
6.6 KiB
Text
Raw Blame History

-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:07 Security Advisory
FreeBSD, Inc.
Topic: Kerberos 5 su command uses getlogin for authorization
Category: krb5, ports
Module: crypto/heimdal/appl/su, heimdal
Announced: 2002-01-18
Credits: Aaron <lumpy@musicvision.com>
Affects: FreeBSD 4.4-RELEASE
FreeBSD 4.4-STABLE prior to the correction date
Ports collection prior to the correction date
Corrected: 2002-01-15 21:52:48 UTC (RELENG_4)
2002-01-17 15:45:05 UTC (RELENG_4_4)
2001-10-31 19:58:05 UTC (heimdal port)
FreeBSD only: NO
0. Revision History
v1.0 2002-01-18 Initial release
v1.1 2002-09-09 Corrected date of heimdal port correction
I. Background
The getlogin and setlogin system calls are used to manage the user
name associated with a login session.
k5su is a Kerberos 5-enabled su program. Like su, it allows
authorized users to `switch user' in order to obtain additional
privileges.
II. Problem Description
The setlogin system call, the use of which is restricted to the
superuser, is used to associate a user name with a login session. The
getlogin system call is used to retrieve that user name. The setlogin
system call is typically used by applications such as login and sshd.
The k5su command included with FreeBSD, versions prior to 4.5-RELEASE,
and the su command included in the heimdal port, versions prior to
heimdal-0.4e_2, use the getlogin system call in order to determine
whether the currently logged-in user is `root'. In some
circumstances, it is possible for a non-privileged process to have
`root' as the login name returned by getlogin.
The `k5su' command may be installed as part of FreeBSD when Kerberos 5
support is requested, or it may be installed from the FreeBSD Ports
Collection (ports/security/heimdal), in which case it is installed
simply as `su'.
The Heimdal port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
In some circumstances, process that have been started by root but have
given up superuser privileges may be able to invoke `k5su' to regain
superuser privileges.
IV. Workaround
Commands to be executed as root are signified by lines starting with
the `#' character.
[Kerberos 5 in the base system]
Remove the set-user-ID bit from the `k5su' executable by running the
following command as root:
# chmod u-s /usr/bin/k5su
[Heimdal port]
Remove the set-user-ID bit from the `su' executable by running the
following command as root:
# chmod u-s /usr/local/bin/su
V. Solution
[Kerberos 5 in the base system]
NOTE: If the file /usr/bin/k5su does not exist on your system,
Kerberos 5 is not installed and you do not need to take any action.
Do one of the following:
1) Upgrade your system to 4.4-STABLE or the RELENG_4_4 security
branch, dated after the respective correction dates.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.4-RELEASE
and 4.4-STABLE dated prior to the correction date. It may or may not
apply to older, unsupported versions of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/k5su.patch
# cd /usr/src/kerberos5/lib
# env MAKE_KERBEROS5=yes make depend
# env MAKE_KERBEROS5=yes make all install
# cd /usr/src/kerberos5/usr.bin/k5su
# env MAKE_KERBEROS5=yes make depend
# env MAKE_KERBEROS5=yes make all install
[Heimdal port]
Do one of the following:
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/heimdal-0.4e_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/heimdal-0.4e_2.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) Download a new port skeleton for the heimdal port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
[Kerberos 5 in the base system]
Path Revision
Branch
- -------------------------------------------------------------------------
src/crypto/heimdal/appl/su/su.c
HEAD 1.1.1.4
RELENG_4 1.1.1.1.2.2
RELENG_4_4 1.1.1.1.2.1.4.1
RELENG_4_3 1.1.1.1.2.1.2.1
- -------------------------------------------------------------------------
[Heimdal port]
Path Revision
- -------------------------------------------------------------------------
ports/security/heimdal/Makefile 1.46
ports/security/heimdal/patch-appl::su::su.c 1.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iQCVAwUBPXzS0lUuHi5z0oilAQEpXQP9G3KRTXz9IBC+S+VwKwIx6lqZ0omDL8Ec
8AqhmzGyTxGikBdWL3qSZH3Ab51R9QCAd8JnN08HqrAqduzIzzG7zrmWn7r643zO
CZQH/w/1n9bwvt4nSqG8h3xwwEKKxtSKJC1/gJSPEafvVyXumOPlrcpdDktwUBHE
UaE0lGT+43U=
=v8Mv
-----END PGP SIGNATURE-----
Reference in a new issue View git blame Copy permalink