[KLUG Members] This is a bad one
Adam Tauno Williams
members@kalamazoolinux.org
Fri, 19 Oct 2001 12:18:19 -0400 (EDT)
>>"According to this mail from Rafal Wojtczuk and a german article
>>on Heise Online, there's a new severe bug in all Linux Kernels,
>>from 2.2.0 up to 2.4.10, which allows users to become root on your
>>system. Kernel 2.4.12 fixes this problem..."
>It's also fixed in Redhat's newly released patched version of 2.4.9.
>If you're running Redhat, you can download the RPM's from Redhat, or
>buy a new BSware from me next week. There is a bunch of other big
>updates too, like a new glibc. Feel free to pre-order now! :-)
I realize there may be more exotic ways to exploit this bug... but a
world-executable set-uid-0 binary? Well, Duh!!!!!!!!!!!!! That is
about as stupid an idea as I have ever seen. I mean at least restrict
execution to a group of "trusted users".
Of course one could always install Kerberos and kiss all that setuid
nonsense goodbye. Good ridance to a bad idea. setuid is proof that
even the designers of UNIX partook of one-to-many on occasion.
<RANT>It is one of my beefs with RedHat and other distributions, that while
they have been kind enough to bundle in things like Kerberos and LDAP (for which
I am eternally grateful) they still plop crap like newgrp, chfn, chsh, chage and
others in an all encompasing util-linux package. First, no one uses these
commands. Second, every last one of them is a security problem waiting to
happen. Third, in a network with a "legitimate" security mechanism they either
don't work or just flat out don't make any sense. (Chage trying to change a
passwords age: "Dumby Dumby dumb, hey... wait a minute..... there is no
/etc/shadow,... OMG! Your not in /etc/passwd!!! Ahhhhhhhhhhhhh... run for the
hills!"). How does an LDAP directory store when the password was last
changed? utime_t, GMT UTF-8 string, local time ASCII string, etc... ? chage
(and it's friends) don't have a clue, don't really have any way of finding out
(unless the NSS modules supports such a thing), and simply won't work even if
they did because (unless your insane) user's can't modify their objects via an
anonymous connection, and chage can't prompt for tokens (last I checked).
Linux is about 90% recovered from its /etc/passwd addiction, but I think that
last 10% is going to take awhile. With the demise of /etc/passwd, /etc/group,
etc.... will come the end for almost every "decent" reason to setuid
something.</RANT>
Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW
Grand Rapids, MI. 49505