Subject: Re: Question about HOSTALIASES changes
To: None <itojun@iijlab.net>
From: Kazushi (Jam) Marukawa <jam@pobox.com>
List: current-users
Date: 08/14/2000 01:46:13
Thank you for letting me know how this implementation was
chosen.  I was wondering why it is changed and who decided
since this modification changes the behavior of NetBSD.  I
checked all messages in current-user but I couldn't find any
message.

On the other hand, for example, rshd already checks a
~/.rhosts file permission in lib/libc/net/rcmd.c.  It just
changes effective uid while opening .rhosts file.  This
implemetaion seems enough simple.  Does following code have
a problem?  Probably it has since I've just written this.
But is this idea wrong?

I received one personal mail that says checking permission
is not safty for race condition.  He said dropping the
permission is only safe way to do so, and it is difficult
for a library since it hard to find out where to drop it.
In this example, I just used getuid().  I'm not sure whether
this cause another security problem or not.

file = getenv("HOSTALIASES");
if (file == NULL) {
    return (NULL);
} else if (issetugid()) {
    uid_t uid = geteuid();
    gid_t gid = getegid();
    struct passwd *pwd = getpwuid(getuid());
    (void)setegid(pwd->pw_gid);
    (void)seteuid(pwd->pw_uid);
    fp = fopen(file, "r");
    (void)seteuid(uid);
    (void)setegid(gid);
    if (fp == NULL)    
        return (NULL);
} else if ((fp = fopen(file, "r")) == NULL) {
    return (NULL);
}

   On Aug 14, 14:46, itojun@iijlab.net wrote:
   > Subject: Re: Question about HOSTALIASES changes
   > 
   > >   > 	this is due to security reason.  suppose we set HOSTALIASES to
   > >   > 	something like /dev/foo, and invoke setuid'ed program.
   > >   > 	non-root user can can let tape to rewind, at least.
   > >   > 	revision 1.27 was insecure.
   > >
   > >Yes.  I agree with you.  Therefore, I'm asking why don't you
   > >check a read permission of the file pointed by HOSTALIASES
   > >before open it like original comment said.  Is there any
   > >security problem with such implementation?
   > 
   > 	when the change was committed, there were some discussions
   > 	(I forgot where was it).  basically, HOSTALIASES would work with
   > 	setuid'ed program, if the following checks were made:
   > 	- check if uid of the file == real uid
   > 	- check if the permission is strict enough (like 0600)
   > 	- make sure that the file is not special file
   > 	the discussion concluded that those checks can cover very little
   > 	cases only, and could be too messy compared to the benefit it would
   > 	buy.  so 1.28 picked the simple (and probably more pedantic) way.

I'm not sure what "little cases" mean.  I think it covers
all demands like .rhosts covered.

By the way, I think the benefit is huge since we don't need
to change the behavior of NetBSD if we support this.  I'm
not sure how many people are using this feature.  However,
it is one feature which was impelemented already.  I think
keeping a consistency is a good reason for NetBSD guys like
we are keeping an original vi interface.

Regards,
-- Kazushi
Corruption is not the #1 priority of the Police Commissioner.  His job
is to enforce the law and fight crime.
		-- P.B.A. President E. J. Kiernan