diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-01:59.rmuser.asc')
-rw-r--r-- | share/security/advisories/FreeBSD-SA-01:59.rmuser.asc | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc b/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc new file mode 100644 index 0000000000..7ba66f613b --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-01:59.rmuser.asc @@ -0,0 +1,131 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-01:59 Security Advisory + FreeBSD, Inc. + +Topic: rmuser contains a race condition exposing /etc/master.passwd + +Category: core +Module: rmuser +Announced: 2001-09-04 +Credits: dynamo@harvard.net +Affects: FreeBSD 4.2-RELEASE, 4.3-RELEASE + FreeBSD 4.3-STABLE prior to the correction date. +Corrected: 2001-07-28 12:10:15 UTC (4.3-STABLE) + 2001-09-04 07:46:57 UTC (RELENG_4_3) +FreeBSD only: Yes + +I. Background + +rmuser is a perl script used to completely remove users from a system. + +II. Problem Description + +When removing a user from the system with the rmuser utility, the +/etc/master.passwd file and it's corresponding database /etc/spwd.db +must be updated. The rmuser script was incorrectly doing this by +creating a new master.passwd file with an unsafe umask and then using +chmod to set its permissions to 0600. Between the time that the file +was created and the time that its permissions were changed the file is +world-readable. + +This is only a minor security vulnerability since the rmuser command +is only used infrequently on most systems, and the attack is highly +timing-dependent. + +All versions of FreeBSD prior to the correction date including FreeBSD +4.3 contain this problem. The base system that will ship with FreeBSD +4.4 does not contain this problem since it was corrected prior to the +release. + +III. Impact + +For a brief amount of time while running rmuser, a world-readable copy +of /etc/master.passwd is available. A local attacker who reads this +file can extract password hashes from the copy of /etc/master.passwd. +This information could be used by attackers to escalate their +privileges, possibly yielding root privileges on the local system, by +mounting an offline dictionary attack in order to guess the plaintext +passwords of the accounts on the local system. + +IV. Workaround + +Use the pw(8) utility to remove users instead of rmuser. + + - "pw userdel <username>" will only remove the user from + /etc/passwd, /etc/master.passwd and /etc/group + - "pw -r userdel <username>" will also remove the user's home + dirrectory + +V. Solution + +1) Upgrade your vulnerable system to 4.3-STABLE or the RELENG_4_3 +security branch, dated after the respective correction dates. + +2) To patch your present system: download the relevant patch from the +below location, and execute the following commands as root: + +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:59/rmuser.patch.asc + +Verify the detached PGP signature using your PGP utility. + +This patch has been verified to apply to FreeBSD 4.2-RELEASE and +4.3-RELEASE. It may or may not apply to older, unsupported releases +of FreeBSD. + +# cd /usr/src/usr.sbin/adduser +# patch -p < /path/to/patch +# make depend && make all install + +3) FreeBSD 4.3-RELEASE systems: + +An experimental upgrade package is available for users who wish to +provide testing and feedback on the binary upgrade process. This +package may be installed on FreeBSD 4.3-RELEASE systems only, and is +intended for use on systems for which source patching is not practical +or convenient. + +If you use the upgrade package, feedback (positive or negative) to +security-officer@FreeBSD.org is requested so we can improve the +process for future advisories. + +During the installation procedure, backup copies are made of the files +which are replaced by the package. These backup copies will be +reinstalled if the package is removed, reverting the system to a +pre-patched state. + +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz +# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:59/security-patch-rmuser-01.59.tgz.asc + +Verify the detached PGP signature using your PGP utility. + +# pkg_add security-patch-rmuser-01.59.tgz + +VI. CVS Revisions + +The following $FreeBSD$ CVS revision contain the fixes for this +vulnerability. The $FreeBSD$ revision of installed sources can be +examined using the ident(1) command. These revision IDs are not +updated by applying the patch referenced above. + +[FreeBSD 4.3-STABLE] + + Revision Path + 1.8.2.5 src/usr.sbin/rmuser.perl + +[RELENG_4_3] + + Revision Path + 1.8.2.2.2.1 src/usr.sbin/rmuser.perl +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.6 (FreeBSD) +Comment: For info see http://www.gnupg.org + +iQCVAwUBO5SH1lUuHi5z0oilAQEWLAQAniPWZpgjNvhoT6ECltW4G9lKlsswDur9 +WMKkX2KEvZ9pswx3rqkn1IC+kBTfgdwwhU/54dyx1HKb2XJH5QdGpW/H/niTox4z +ImJjctZNvnEuB52si1+Ivx3avwgw57YjAsJgLcv+CYYW+iizX1zVFBjdce6PDQgI +pb50qM0sJYA= +=hxQ5 +-----END PGP SIGNATURE----- |