netbsd-help: SECURITY PATCH FOR NETBSD 0.9 AND 0.9A

Subject: SECURITY PATCH FOR NETBSD 0.9 AND 0.9A
To: None <netbsd-help@NetBSD.ORG>
From: Brian Buhrow <buhrow@cats.ucsc.edu>
List: netbsd-help
Date: 03/26/1995 13:53:24
	Hello.  I realize that most people on this list  have upgraded their 
systems to Version 1.0.  I'm sure, however, that some of you, for what ever
reasons, are still running versions prior to 1.0.  If you are running a
production system with many users on it and that system is  version  0.9 or
0.9A, I'd like to alert you to the presence of a large security hole.  If
you have options KTRACE in your kernel configuration, then any user can
ktrace any program on the system, regardless of its setguid bits.  This
makes it particularly easy to get the contents of the shadow password file.
 I'll let your imaginations dream of what else one might be able to get a
hold of.
	This bug has been fixed in NetBSD 1.0 and later.  If, however, you can't
upgrade right now, but would like the bug fixed, you may use the enclosed
patch to disallow tracing on setg/uid programs by users other than root.
Tracing on nonsetguid programs works fine.

Instructions for use.

1.  Patch your version of kern_exec.c using the enlclosed context diff.
2.  Blow away your build directory for the kernel you want to rebuild.
3.  Config your kernel.
4.  cd /usr/src/sys/arch/<archname>/compile/<kernelename>
5.  Make depend
6.  Make.
7.  Install your kernel, making sure to save a copy of the old one.
8. Reboot.
9.  Test by running ktrace on passwd as yourself.

	This should be viewed as an interim patch to tied you over until 
such time as you can upgrade to 1.0 or later.  I will not be held liable
for any damage, loss of productivity, or failure to fix this bug on your
system.  However, I hope it will be of use if you are in the situation I
describe above.  Also, I have only tested this on the i386 architecture,
but have no reason to believe it wouldn't work on all platforms.

Please mail comments, suggestions, flames, etc. to:
buhrow@nfbcal.org
Without any further adue, here is the patch.
-Brian

*** kern_exec.c	Sun Mar 26 12:52:42 1995
--- kern_exec.c.old	Sun Mar 26 12:45:55 1995
***************
*** 29,35 ****
   * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   *
!  *	$Id: kern_exec.c,v 1.40 1995/03/26 20:52:21 buhrow Exp $
   */
  
  #include <sys/param.h>
--- 29,35 ----
   * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   *
!  *	$Id: kern_exec.c,v 1.39 1994/01/13 06:24:11 cgd Exp $
   */
  
  #include <sys/param.h>
***************
*** 491,513 ****
  		wakeup((caddr_t) p->p_pptr);
  	}
  
- 
- 	/*Make sure that if we are using a setugid program, we turn off tracing
- 	*if the trace wasn't started by root.
- 	*/
- 
- #ifdef KTRACE
- 	if (((attr.va_mode & VSUID) != 0 &&
- 	    p->p_ucred->cr_uid != attr.va_uid)
- 	    || (attr.va_mode & VSGID) != 0 &&
- 	    p->p_ucred->cr_gid != attr.va_gid) {
- 		if (p->p_tracep && !(p->p_traceflag & KTRFAC_ROOT)) {
- 			vrele(p->p_tracep);
- 			p->p_tracep = NULL;
- 			p->p_traceflag = 0;
- 		}
- 	}
- #endif /*KTRACE*/
  	/* deal with set[ug]id MNT_NOEXEC and STRC have already been used
  	   to disable s[ug]id */
  	if (attr.va_mode & VSUID) {
--- 491,496 ----