Re: ~/.login_conf mechanism is flawed


Are there any other tricks / work around people have implemented ? MACs ?

---Mike


At 11:25 AM 8/10/2010, Janne Snabb wrote:
On Tue, 10 Aug 2010, Janne Snabb wrote:

> Looks like the per-user login capability database (~/.login_conf,
> ~/.login_conf.db) functionality is creating a vulnerability.

Attached is a temporary workaround for anyone who is worried about
this problem. It disables per-user login capability databases
completely. Only the system wide /etc/login.conf is used. Do not
apply the patch if you need per-user login capabilities.

This should work on 8.1-RELEASE, most likely on some other releases
as well. I did not find any references to the evil ~/.login_conf{,.db}
anywhere else in the source except in lib/libutil/login_cap.c.

1. Save the attached login_cap.c.diff in /tmp

2. cd /usr/src/lib/libutil

3. patch < /tmp/login_cap.c.diff

4. make

5. make install

6. re-start any affected daemons:
/etc/rc.d/sshd restart
/etc/rc.d/ftpd restart

The relevant files are /lib/libutil.* and /usr/lib/libutil.* if you
build on one machine and distribute binaries to others. Re-start
the relevant daemons at each machine after updating the libutil
libraries.

--
Janne Snabb / EPIPE Communications
snabb@xxxxxxxxx - http://epipe.com/

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@xxxxxxxxxx
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"