Some thoughts about security in correct_password.c
Tito
farmatito at tiscali.it
Fri Dec 23 13:46:05 UTC 2005
Hi,
these are just some thoughts about a possible security enhancement in correct_passwd.c.
Maybe it could be a good idea to drop privileges in it if:
a) support for shadow passwords is not enabled
b) or just after the shadow password stuff is done.
Like this:
diff -uN libbb/correct_passwor_orig.c libbb/correct_password.c
--- libbb/correct_password_orig.c 2005-12-04 13:55:50.000000000 +0100
+++ libbb/correct_password.c 2005-12-23 14:33:33.000000000 +0100
@@ -52,6 +52,7 @@
#ifdef CONFIG_FEATURE_SHADOWPASSWDS
if (( strcmp ( pw-> pw_passwd, "x" ) == 0 ) || ( strcmp ( pw-> pw_passwd, "*" ) == 0 )) {
+ seteuid(0);
struct spwd *sp = getspnam ( pw-> pw_name );
if ( !sp )
@@ -62,7 +63,7 @@
else
#endif
correct = pw-> pw_passwd;
-
+ seteuid(pw->pw_uid);
if ( correct == 0 || correct[0] == '\0' )
return 1;
-------------------------------------------------------------------------------------------------------------------------------
This libbb function is used only by su, login and vlock.
I've tested them all, but only with shadow passwords enabled, and they all seem to work
correctly.
The only minor change needed is in login.c to make the change_identity() call work:
diff -uN loginutils/login_orig.c loginutils/login.c
--- loginutils/login_orig.c 2005-12-04 13:58:13.000000000 +0100
+++ loginutils/login.c 2005-12-23 14:24:40.000000000 +0100
@@ -270,8 +270,9 @@
* (for example when the root fs is read only) */
chown ( full_tty, pw-> pw_uid, pw-> pw_gid );
chmod ( full_tty, 0600 );
-
+ seteuid(0);
change_identity ( pw );
+ seteuid(pw->pw_uid);
tmp = pw-> pw_shell;
if(!tmp || !*tmp)
tmp = DEFAULT_SHELL;
-----------------------------------------------------------------------------------------------------------------------------
I don't know if the possible enhancement in security is wort the effort,
so this is mostly a call for advice to more experienced programmers.
BTW, the man page for seteuid states:
NOTES
Setting the effective user (group) ID to the saved user (group) ID is
possible since Linux 1.1.37 (1.1.38). On an arbitrary system one
should check _POSIX_SAVED_IDS.
Under libc4, libc5 and glibc2.0 seteuid(euid) is equivalent to
setreuid(-1, euid) and hence may change the saved user ID. Under
glibc2.1 it is equivalent to setresuid(-1, euid,-1) and hence does not
change the saved user ID. Similar remarks hold for setegid.
CONFORMING TO
BSD 4.3
So there could be some problems with different versions of libc???
Ciao,
Tito
More information about the busybox
mailing list