*** POSSIBLE SECURITY HOLE ***

*** POSSIBLE SECURITY HOLE ***

Post by Steve Che » Fri, 01 Sep 1995 04:00:00



Our system recently upgraded to DRS/NX version 7.4.4 (which is equivalent
to Unix SVR4 or later, I think), and I have since noticed a subtle change
in the way permissions work.  The change, in my view, is undesirable can
could possibly be a security hole.

Previously, a process started by root which later does a setuid() and
setgid() (eg to uid=steve, gid=prog) loses access to root's supplementary
groups (sys, bin, adm, ...).

Now, however, such a process *retains* access to root's supplementary
groups.  Thus the process can now write into (and remove files from) what
should be secure directories.

Does anyone have any info on this?  Is it a bug or a "feature"?

--
______________________________________________________________________________

Fujitsu NZ Ltd, Auckland, New Zealand                      FAX: +64.9.3564851

 
 
 

*** POSSIBLE SECURITY HOLE ***

Post by Casper H.S. Dik - Network Security Engine » Sat, 02 Sep 1995 04:00:00



>Our system recently upgraded to DRS/NX version 7.4.4 (which is equivalent
>to Unix SVR4 or later, I think), and I have since noticed a subtle change
>in the way permissions work.  The change, in my view, is undesirable can
>could possibly be a security hole.
>Previously, a process started by root which later does a setuid() and
>setgid() (eg to uid=steve, gid=prog) loses access to root's supplementary
>groups (sys, bin, adm, ...).

I wish to see your "previous" system.  SVR3 and earlier systems didn't
have supplementary groups.  BSD and SVR4 systems do haev supplementary
groups. Those don't go away on a simple setgid.

On Solaris 2.x "setgroups(0, NULL)" works when executed as root.
On otehr system you may need to do something like:

        setgroups(1,&pwd->pw_gid); /* sometimes setgroups(0,0) works */
        setgid(pwd->pw_gid);
        setuid(pwd->pw_uid);

Casper

 
 
 

1. List of uneeded programs - possible security holes

I am in the process of making a script used on all new installs that
wipes from the server all programs that are un-needed and possible
security holes.

The servers are used 100% in a webhosting environment so all programs
unrelated to webserving, FTP, SSH, and sendmail are to be eliminated.
cc and gcc are by default removed on all machines and the entire
/usr/src is wiped after kernel builds.  The machines are not kept
current using CVS, and all future upgrades to major components are
updated via SSH scripts.

Examples being:
/usr/libexec/telnetd
/usr/bin/keyinit  (and eliminated the option of skey from pam.conf) -
/usr/lib/pam_radius.so
/usr/lib/pam_skey.so
/usr/sbin/setkey
/usr/sbin/ppp
/usr/sbin/pppd
/usr/sbin/sliplogin
/usr/sbin/lpd
/usr/sbin/apmd
/usr/sbin/isdn*
/usr/sbin/rpc*
etc
etc

Does anyone know the existance of a similar script or list of files?

If not, if you look at this post and want to contribute so files that
have caused you issues in the past, by all means include them.

2. For SuperDisk or LS-120 driver.....

3. Packet-snooping in IP - possible security hole or too difficult?

4. Service Not Available???

5. 8Gb of RAM and Linux, possible?

6. Possible Security Hole

7. ppp ported to Linux?

8. Possible security hole in Mandrake 7.1?

9. SunOS strangeness (possible security hole?)

10. masterplan and possible(?) security hole

11. Security Hole on webservers run on variuos OS, How to close UNIS hole

12. best-of-security mailing list (was: Solaris 2.5 Security Hole: local users can get root)