Debian Bug report logs - #6006
security problem: dpkg & install don't ck link cnt of setuid binaries

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: cjf@nothinbut.net

To: submit@bugs.debian.org

Subject: security problem: dpkg & install don't ck link cnt of setuid binaries

Date: Mon, 16 Dec 1996 03:46:35 -0500 (EST)

Package: dpkg,fileutils
Version: all

These security points apply to /usr/bin/install from fileutils as well as dpkg.

I raised this security problem on linux-kernel.  If dpkg is about
to replace a setuid binary it should check that the link count == 1.
Otherwise it should warn the sysadmin about possible security violations
and perhaps even recommend a course of action (like how to find the files
linked against the file we were about to upgrade).  Here is some of the
discussion for those not following linux-kernel:

   Date: Fri, 13 Dec 1996 14:27:50 -0500 (EST)
   From: Dan Merillat <Dan@Merillat.org>

   I understand quite clearly that making a link to a file does not affect
   either the data or the inode (aside from the link count.)  However, link()
   has the rather unexpected side affect of allowing someone who is NOT the
   owner of a file to have the ability to prolong the lifespan of a file
   indefinitely.   And that is a modification, and should be restricted to
   those with write access to the file, if not the owner.  

I wrote:
Hmm, I just realized a security implication of this that I haven't
seen mentioned.  Suppose one of my users does the following (assuming
/tmp and /usr are on the same partition):
$ cd /tmp ; mkdir cjf ; cd cjf
$ ln /usr/sbin/sendmail file
$ ls -li file /usr/sbin/sendmail
  49049 -rwsr-xr-x   2 root     root       239024 Nov 17 22:53 /usr/sbin/sendmail
  49049 -rwsr-xr-x   2 root     root       239024 Nov 17 22:53 file

Now my user waits for the next sendmail bug to become widely known.  Usually
he can't exploit these because I upgrade sendmail before anyone has time
to test the exploit code. So
# install -o root -g root -m 4755 /whereever/sendmail-secure /usr/sbin/sendmail
But
$ ls -li file /usr/sbin/sendmail
  49050 -rwsr-xr-x   1 root     root       239024 Nov 17 22:53 /usr/sbin/sendmail
  49049 -rwsr-xr-x   1 root     root       239024 Nov 17 22:53 file
is unexpected!

[...]
 o I should run ls -i on all setuid binaries periodically (especially
   /before/ upgrading).  (Perhaps?)
 o I need to really pay attention to the output of my script that reports
   all setuid files on the system looking for any setuid files that I
   didn't put there (especially ones outside /bin and /usr).  Debian
   users should look at /var/log/setuid.today.  Anyone know where Red
   Hat stores this information?

'Keith Rohrer responded to my final point:'
> >  o Maybe there /is/ a security issue here that should be fixed?  Or is
> >    it just another gotcha that careful admins avoid by diligently
> >    examining my previous point?
> Actually, there is.  install, or scripts which use it to install suid
> binaries, should (according to the hole you just found) zero out the old
> file and/or warn about extra hard links before installing the new copy.
> In the general case it doesn't matter (though it should warn about extra
> links to the old version anyway), and in some cases there are hard links
> to not zero out (e.g. emacs used to install as emacs and emacs-version.number
> with hard links, so doing this would ruin the old "backup" binary).

I think Keith is right.  Installation programs such as dpkg should
test the link count of at least setuid binaries and report to the
admin if the link count is != 1.  Since Debian doesn't use hard
links for anything (is that right?), any link count would be
extremely suspicious.

NOTE: since dpkg will have to stat() each file before unlink() of
any files in order to get umode_t and nlink_t information, I hereby
publically change sides and agree that the setuid management discussed
on debian-devel recently should be done in dpkg and not by scripts like
Suidmanager.  Sorry Christoph -- I was about to come out and support you
on this issue.  But it seems dpkg needs to do a lot of checking before
overwriting files, it might as well handle the setuid policy itself.

-- 
Christopher J. Fearnley            |    Nothin But Net System Engineering
cjf@nothinbut.net, cjf@netaxs.com  |    UNIX SIG Leader at PACS
http://www.netaxs.com/~cjf         |    (Philadelphia Area Computer Society)
ftp://ftp.netaxs.com/people/cjf    |    Design Science Revolutionary
"Dare to be Naive" -- Bucky Fuller |    Explorer in Universe

Message #10 received at 6006@bugs.debian.org (full text, mbox, reply):

From: Ian Jackson <ian@chiark.greenend.org.uk>

To: 6006@bugs.debian.org

Subject: Bug#6006: security problem: dpkg & install don't ck link cnt of setuid binaries

Date: Mon, 16 Dec 96 16:44 GMT

Christopher Fearnley writes:
> I think Keith is right.  Installation programs such as dpkg should
> test the link count of at least setuid binaries and report to the
> admin if the link count is != 1.  Since Debian doesn't use hard
> links for anything (is that right?), any link count would be
> extremely suspicious.

We do use hard links, and it is quite conceivable that a setuid binary
might be hardlinked in a package.  I don't think we ought to forbid
this.

Also, sysadmins might hardlink to a file in order to stop dpkg
deleting it, so that they could keep a copy themselves.  I know I've
done this ...

Luckily there is an easier solution: have dpkg chmod 600 every file
that it's about to remove just before it removes it.  If the file has
been hardlinked by something other than dpkg then this will simply
cause it not to be a problem any more (after all, noone but the owner
can access it at all), and if it has been hardlinked by dpkg it is
about to disappear anyway.

Comments ?

Ian.

Message #15 received at 6006@bugs.debian.org (full text, mbox, reply):

From: Chris Fearnley <cjf@netaxs.com>

To: ian@chiark.greenend.org.uk

Cc: 6006@bugs.debian.org

Subject: Re: Bug#6006: security problem: dpkg & install don't ck link cnt of setuid binaries

Date: Tue, 17 Dec 1996 17:16:21 -0500 (EST)

'Ian Jackson wrote:'
>
>Luckily there is an easier solution: have dpkg chmod 600 every file
>that it's about to remove just before it removes it.  If the file has
>been hardlinked by something other than dpkg then this will simply
>cause it not to be a problem any more (after all, noone but the owner
>can access it at all), and if it has been hardlinked by dpkg it is
>about to disappear anyway.
>
>Comments ?

Alex Yuriev and someone on linux-kernel have an even better solution.
Truncate the file before overwriting.  This will even reclaim disk
space if anyone has hard links to the file.

-- 
Christopher J. Fearnley            |    Linux/Internet Consulting
cjf@netaxs.com, cjf@onit.net       |    UNIX SIG Leader at PACS
http://www.netaxs.com/~cjf         |    (Philadelphia Area Computer Society)
ftp://ftp.netaxs.com/people/cjf    |    Design Science Revolutionary
"Dare to be Naive" -- Bucky Fuller |    Explorer in Universe

Message #20 received at 6006@bugs.debian.org (full text, mbox, reply):

From: Buddha M Buck <bmbuck@ACSU.Buffalo.EDU>

To: cjf@netaxs.com

Cc: ian@chiark.greenend.org.uk, 6006@bugs.debian.org

Subject: Re: Bug#6006: security problem: dpkg & install don't ck link cnt of setuid binaries

Date: Wed, 18 Dec 1996 10:36:57 -0500 (EST)

> 
> 'Ian Jackson wrote:'
> >
> >Luckily there is an easier solution: have dpkg chmod 600 every file
> >that it's about to remove just before it removes it.  If the file has
> >been hardlinked by something other than dpkg then this will simply
> >cause it not to be a problem any more (after all, noone but the owner
> >can access it at all), and if it has been hardlinked by dpkg it is
> >about to disappear anyway.
> >
> >Comments ?
> 
> Alex Yuriev and someone on linux-kernel have an even better solution.
> Truncate the file before overwriting.  This will even reclaim disk
> space if anyone has hard links to the file.

Of course, if I -had- made a link to the file (say, because I have a
policy to keep older versions available while testing newer versions),
I'd be upset if my safe backup link suddenly was truncated.  Setting
permissions to 600 (or, better yet, to the current permissions bitwise
anded with 0700) be good for that.

> 
> -- 
> Christopher J. Fearnley            |    Linux/Internet Consulting
> cjf@netaxs.com, cjf@onit.net       |    UNIX SIG Leader at PACS
> http://www.netaxs.com/~cjf         |    (Philadelphia Area Computer Society)
> ftp://ftp.netaxs.com/people/cjf    |    Design Science Revolutionary
> "Dare to be Naive" -- Bucky Fuller |    Explorer in Universe
> 
> 

Message #25 received at 6006-maintonly@bugs.debian.org (full text, mbox, reply):

From: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)

To: 6006-maintonly@bugs.debian.org

Subject: Old bugs need to be looked at

Date: Sun, 1 Feb 1998 12:26:58 +0100 (CET)

This is an automated message sent to all bugs older than one year.

This bug is very old. Please take a look at it and see if you can fix it.
If it has already been fixed, please close it.

If you have problems fixing it or if you don't have the time to fix it,
please ask the people on debian-devel@lists.debian.org for help, so that
at least the oldest bugs can be solved before Debian 2.0 is released.

Remco Blaakmeer

Message #30 received at 6006@bugs.debian.org (full text, mbox, reply):

From: up@uplinkpro.com

To: 6006@bugs.debian.org

Subject: OK to send e-mail?

Date: Fri, 20 Mar 1998 19:19:30 -0500

OK to send an e-mail to 6006@bugs.debian.org? 

Message #35 received at 6006@bugs.debian.org (full text, mbox, reply):

From: up@uplinkpro.com

To: 6006@bugs.debian.org

Subject: Can't Find Your Web Site

Date: Thu, 26 Mar 1998 14:06:48 -0500

To: 6006@bugs.debian.org 

     Can't find your web site?
     Uplink will post your site to 50 search engines for $89. 
     We guarantee your satisfaction, or you pay nothing!

Millions of people every day use search engines to find web sites.
Uplink makes your site easier to find by posting it to the top 50 search engines.

Here's how it works:

1.  Fill out the form below, and return it to us.

2.  We'll post your site to the top 50 search engines within two business days and send 
you a full promotion report.

3.  Pay nothing now.  We'll send you a bill for $89 with the promotion report.  If you're 
not completely happy, simply write "cancel" on the bill, and you'll owe nothing.

THE SEARCH ENGINES

Here's the list of top search engines to which we'll post your site:

Alta Vista, Excite, Galaxy, HotBot, Infoseek, Lycos, Magellan, Open Text Web Index,
Web Crawler, BizWeb, New Riders WWW Yellow Pages, LinkMonster, True North, 
Northern Light, YelloWWWeb, The Weekly Bookmark, The Galactic Galaxy, TurnPike,
Unlock:The Information Exchange, Your WebScout, Manufacturers Information
Network, Net Happenings, Net Mall, Web World  Internet Directory, WebVenture
Hotlist, What's New, WhatUSeek, JumpLink, Linkcentre Directory, InfoSpace, Jayde
Online Directory, BC Internet, BizCardz Business Directory, Net-Announce, New Page
ListOne World Plaza, PageHost A-Z, PeekABoo, Project Cool, Scrub The Web, Seven
Wonders, Sserv, Starting Point, Web 100, Web Walker, Where2Go, World Wide Business
Yellow Pages, Wow! Web Wonders!, WWW Worm, JumpCity.

ORDER FORM

Hit the REPLY button on your e-mail program and fill out the following information.
 (This information will be posted to the search engines/indexes):

URL:  http://
Site Title: 
Description (250 characters): 

Key words (250 characters, in descending order of importance):

Your name: 
Company Name:
Address:
City:              State/Prov:     Zip/Postal Code: 
Telephone: 
Fax: 
Email address: 

Contact e-mail address (in case we have questions about this order): 

If  billing a different address, please complete the following:

Addressee: 
Company Name:
Address:
City:              State/Prov:     Zip/Postal Code: 
Telephone: 
Fax: 
Email address: 

TERMS

Terms are net 15 days from date of invoice.

______________________________________________________________________
Uplink, Inc.
39B Mill Plain Road
Danbury, CT 06811
Phone: (203) 791-7351
Fax:     (203) 790-6407
E-mail: up@uplinkpro.com

Send a report that this bug log contains spam.