'[EDev] Re: Fwd: [funkysh@isec.pl: Ecartis/Listar multiple'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       listar-dev
Subject:    [EDev] Re: Fwd: [funkysh@isec.pl: Ecartis/Listar multiple
From:       Trish Lynch <trish () bsdunix ! net>
Date:       2002-03-22 2:41:27
[Download RAW message or body]



This is why I also, maintain that this was not a problem on FreeBSD. An
smmsp exploit is really not my concern either, or somethign executed by
the postfix user.

Also, #1 was fixed, as is issue #3 mostly fixed... I need to commit
several more files that have been fixed as well, and then start to move on
to modules.

If anyone wants to help, I'm still open to it, send patches please, not
full files.

-Trish


On Wed, 20 Mar 2002, John Goerzen wrote:

>
> On Wednesday, March 20, 2002, at 02:45  AM, Peter Losher wrote:
>
> > This has already been discussed when the original message was posted on
> > BUGTRAQ:
> >
> > http://marc.theaimsgroup.com/?t=101590280200002&r=1&w=2
>
> Thanks for the link, Peter.  Actually, it addresses only problem #3,
> which I figured was probably a non-issue anyway.  What I was more
> interested in was the priviledge dropping.  Just to quote:
>
> >>> (called with UID=root)
> >>> getuid()                          = root
> >>> geteuid()                         = ecartis
> >>> getegid()                         = ecartis
> >>> setuid(ecartis)                   = root
> >>> setgid(ecartis)                   = root
>
> I was contacted yesterday by Wichert, a Debian security person,
> concerned that the fix I had prepared for our Listar and Ecartis
> packages was incomplete.  (I had not seen the bugtraq advisory prior to
> that, only the Ecartis notice)  I concluded that *for Debian*, this was
> not a problem.  Here's why:
>
> What the bugtraq poster demonstrates above is exactly how setuid
> binaries on Unix as supposed to work.  He's complaining that Ecartis
> works like it normally would.  Since you're supposed to be able to flip
> between real and effective UIDs, this makes sense.
>
> If an exploit were to be developed for Ecartis, the exploit could
> conceivably run setuid(0) before doing its nasty thing.
>
> But only if Ecartis were called as root.  On Debian, MTAs invoke outside
> programs as "nobody" or some other non-root user.  Therefore, there is
> no possibility of a root exploit on Debian, and Wichert and I agreed
> that no immediate action was necessary.  A "nobody" exploit is of no
> concern to us :-)
>
> Nonetheless, it would be a nice to permenantly renounce the caller's
> privileges:
>
> if (getuid() != geteuid()) {
>     setreuid(geteuid());
> }
>
>

--
Trish Lynch					trish@bsdunix.net
FreeBSD						The Power to Serve
Ecartis Core Team				trish@listmistress.org
                   http://www.freebsd.org



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic