aboutsummaryrefslogtreecommitdiff
path: root/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc
diff options
context:
space:
mode:
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-01:59.rmuser.asc')
-rw-r--r--share/security/advisories/FreeBSD-SA-01:59.rmuser.asc131
1 files changed, 131 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc b/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc
new file mode 100644
index 0000000000..7ba66f613b
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+=============================================================================
+FreeBSD-SA-01:59 Security Advisory
+ FreeBSD, Inc.
+
+Topic: rmuser contains a race condition exposing /etc/master.passwd
+
+Category: core
+Module: rmuser
+Announced: 2001-09-04
+Credits: dynamo@harvard.net
+Affects: FreeBSD 4.2-RELEASE, 4.3-RELEASE
+ FreeBSD 4.3-STABLE prior to the correction date.
+Corrected: 2001-07-28 12:10:15 UTC (4.3-STABLE)
+ 2001-09-04 07:46:57 UTC (RELENG_4_3)
+FreeBSD only: Yes
+
+I. Background
+
+rmuser is a perl script used to completely remove users from a system.
+
+II. Problem Description
+
+When removing a user from the system with the rmuser utility, the
+/etc/master.passwd file and it's corresponding database /etc/spwd.db
+must be updated. The rmuser script was incorrectly doing this by
+creating a new master.passwd file with an unsafe umask and then using
+chmod to set its permissions to 0600. Between the time that the file
+was created and the time that its permissions were changed the file is
+world-readable.
+
+This is only a minor security vulnerability since the rmuser command
+is only used infrequently on most systems, and the attack is highly
+timing-dependent.
+
+All versions of FreeBSD prior to the correction date including FreeBSD
+4.3 contain this problem. The base system that will ship with FreeBSD
+4.4 does not contain this problem since it was corrected prior to the
+release.
+
+III. Impact
+
+For a brief amount of time while running rmuser, a world-readable copy
+of /etc/master.passwd is available. A local attacker who reads this
+file can extract password hashes from the copy of /etc/master.passwd.
+This information could be used by attackers to escalate their
+privileges, possibly yielding root privileges on the local system, by
+mounting an offline dictionary attack in order to guess the plaintext
+passwords of the accounts on the local system.
+
+IV. Workaround
+
+Use the pw(8) utility to remove users instead of rmuser.
+
+ - "pw userdel <username>" will only remove the user from
+ /etc/passwd, /etc/master.passwd and /etc/group
+ - "pw -r userdel <username>" will also remove the user's home
+ dirrectory
+
+V. Solution
+
+1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3
+security branch, dated after the respective correction dates.
+
+2) To patch your present system: download the relevant patch from the
+below location, and execute the following commands as root:
+
+# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch
+# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.asc
+
+Verify the detached PGP signature using your PGP utility.
+
+This patch has been verified to apply to FreeBSD 4.2-RELEASE and
+4.3-RELEASE. It may or may not apply to older, unsupported releases
+of FreeBSD.
+
+# cd /usr/src/usr.sbin/adduser
+# patch -p < /path/to/patch
+# make depend && make all install
+
+3) FreeBSD 4.3-RELEASE systems:
+
+An experimental upgrade package is available for users who wish to
+provide testing and feedback on the binary upgrade process. This
+package may be installed on FreeBSD 4.3-RELEASE systems only, and is
+intended for use on systems for which source patching is not practical
+or convenient.
+
+If you use the upgrade package, feedback (positive or negative) to
+security-officer@FreeBSD.org is requested so we can improve the
+process for future advisories.
+
+During the installation procedure, backup copies are made of the files
+which are replaced by the package. These backup copies will be
+reinstalled if the package is removed, reverting the system to a
+pre-patched state.
+
+# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz
+# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz.asc
+
+Verify the detached PGP signature using your PGP utility.
+
+# pkg_add security-patch-rmuser-01.59.tgz
+
+VI. CVS Revisions
+
+The following $FreeBSD$ CVS revision contain the fixes for this
+vulnerability. The $FreeBSD$ revision of installed sources can be
+examined using the ident(1) command. These revision IDs are not
+updated by applying the patch referenced above.
+
+[FreeBSD 4.3-STABLE]
+
+ Revision Path
+ 1.8.2.5 src/usr.sbin/rmuser.perl
+
+[RELENG_4_3]
+
+ Revision Path
+ 1.8.2.2.2.1 src/usr.sbin/rmuser.perl
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.6 (FreeBSD)
+Comment: For info see http://www.gnupg.org
+
+iQCVAwUBO5SH1lUuHi5z0oilAQEWLAQAniPWZpgjNvhoT6ECltW4G9lKlsswDur9
+WMKkX2KEvZ9pswx3rqkn1IC+kBTfgdwwhU/54dyx1HKb2XJH5QdGpW/H/niTox4z
+ImJjctZNvnEuB52si1+Ivx3avwgw57YjAsJgLcv+CYYW+iizX1zVFBjdce6PDQgI
+pb50qM0sJYA=
+=hxQ5
+-----END PGP SIGNATURE-----