Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.enteract.com!newsfeed.enteract.com!tqbf From: tqbf@char-star.rdist.org (Thomas H. Ptacek) Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix Subject: Re: *BSD* Security WWW/Mailing List? Date: 22 Apr 1997 18:09:30 GMT Organization: EnterAct, L.L.C. Lines: 64 Message-ID: <slrn5lpvmq.1hm.tqbf@char-star.rdist.org> References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@freebsd.org> <DERAADT.97Apr18181055@zeus.pacifier.com> <slrn5li6bf.rjd.tqbf@char-star.rdist.org> <5jd1jt$m30@web.nmti.com> <slrn5ll06k.kd3.tqbf@char-star.rdist.org> <5jhur6$51u@innocence.interface-business.de> Reply-To: tqbf@enteract.com NNTP-Posting-Host: char-star.rdist.org X-Newsreader: slrn (0.9.1.1 BETA UNIX) Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6722 comp.unix.bsd.misc:3062 comp.security.unix:33879 22 Apr 1997 09:02:30 GMT j@ida.interface-business.de: >You wrote about "operating system" first, and i seem to remember that >some (early) SVR4 version had an at least as wide security hole in >that they allowed for LD_LIBRARY_PATH even for set[ug]id binaries. In 4.4BSD, this would be an ld.so problem, not a crt0 start() problem. FreeBSD maps ld.so into memory, duplicating, in effect, an execution of the program. LD_* variables are unused in the C runtime library in FreeBSD. Perhaps early SVR4 revisions embed the entire dynamic linker in start(), in which case I am mistaken in my assertion and I apologize. I doubt that's the case, though, so I think my assertion (FreeBSD being the only operating system to have a published hole in crt0 start(), a claim which is unaffected by your statement regarding SVR4) is correct. The hole occurred because of a FreeBSD enhancement for localization that wasn't programmed carefully, and effectively dragged an extremely messy library into privileged code. There are other examples of FreeBSD enhancements seriously compromising security (how about the terminal type in /etc/ttys? I note that no announcement has ever been released about the effectiveness of securelevels on afflicted systems.) >Btw., to be fair you should also notice that NetBSD simply didn't pay >any attention to localization. 2 points for NetBSD. I don't think anyone who has been compromised because of localization bugs feels that the system was worth it. Then again, I don't think many of the people that were broken into know what localization is. >OpenBSD started after FreeBSD 2.1, so >they could already learn from our mistakes. This is simply not the case. The crt0 bug was published after 2.2 was released. OpenBSD was never vulnerable to the hole; Mr. Assange's apocolyptic comment about the horrors of BSD locales probably provoked an audit of that code months before anyone thought to tie it to start(). >There's absolutely no >reason for you to get malicious about us here. Unless you are God I'm not being malicious; I'm being frank. People "affiliated" with FreeBSD have decided to state that OpenBSD has a negligible security advantage over FreeBSD - I find this ludicrous and misleading. I use and appreciate FreeBSD as a stable, fast server operating system. I do not, however, have any misconceptions that it's suitable for anything sensitive. >(who is by definition unfailable), you also occasionally make >mistakes. I simply dislike your attitude. I apologize if my statements about FreeBSD have caused you to decide that I am claiming to be God. I am certainly not infallible, and I apologize if I have mistakenly asserted that I am. I do not quite understand your assessment of my "attitude" - although that's perhaps an issue not best pursued on comp.security.unix. Thanks for your input. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));