Subject: solving various bug reports...
To: None <tech-security@NetBSD.ORG>
From: Luke Mewburn <lukem@connect.com.au>
List: tech-security
Date: 06/26/1997 15:50:35
I've compiled a list of non-closed bug reports that I believe are
related to security. mrg and I have discussed these, and there's a few
that we'd like further input on before action is taken.
In each case I've outlined the general direction that will be taken
with the issue unless there's major objections...
1. Remote access for root with empty password
---------------------------------------------
PR 664 is about rlogin and ftp being blocked if root has no password,
but rsh isn't. I clarified to the user that rlogin is now like rsh in
that it respects ~root/.rhosts. ftp was only blocked because of
/etc/ftpusers.
The submitter (David Sharnoff) still wants the functionality of prevented
root access if root's password is empty. I don't believe that this is
a special case that we need to support in r{sh,login} or ftp.
2. su(1) uses /etc/group instead of current grouplist
-----------------------------------------------------
PRs 792 and 2466 both mention that su(1) parses /etc/group for the
contents of gid 0 to determine if access is permitted to root.
If a user's primary group is 0, but they're not in /etc/groups, things
fail.
The suggested solution is to check the users' *current* group list
using getgroups() (both primary & supplimentary groups) for
existance of gid 0, instead of getpwent(getuid()) and getgrgid(0).
This is consistant with other access checks on the system...
3. su(1) ignores expired password or account
--------------------------------------------
PR 935 adds support to su(1) to notify of impending password or
account expiry, and to prevent non-root su to expired accounts.
login(1) enforces this, and I believe the solution is sound.
However, I would also add a general #define in <pwd.h> for
"WARNDAYS" so that login(1), su(1) and any other related programs,
consistantly use the same grace period.
4. login(1) patch to force password change on initial login
-----------------------------------------------------------
PR 936 adds support for a "magic" password change date to force users
to change their passwords on initial login.
This is good. I'd also add support to su(1) for this, and ensure that
the value for the "magic" change is
a) in <pwd.h>
b) documented in passwd(1), passwd(5), and elsewhere
5. packet dump support in tcpdump(8)
------------------------------------
PR 1205 adds hex/ascii packet dumping to tcpdump(8), and telnet option
parsing.
cgd commented that this has been brought up in the past and knocked down.
However, Solaris' snoop(1) allows this. Given that tcpdump(8) can only
be run by root, it woudl be trivial to supply an application that can
do this anyway. I can't see the problem with this, but this is a
controversial issue...
6. inetd runs before securelevel is raised
------------------------------------------
PR 1323 highlights that inetd(8) and other programs are run from
/etc/rc before securelevel is raised. Therefore, it is possible for
users to get into a system before securelevel is raised.
This is a complicated issue, and probably deserves its own thread.
No idea on how to solve it.
7. log root login failures at a different log level
---------------------------------------------------
PR 2075 changes things so that root login failures are at LOG_WARNING
instead of LOG_NOTICE.
I'm not sure if this is totally necessary, but I'm neutral either
way... Comments?
8. changing stuff in /etc/mtree/special to be optional
------------------------------------------------------
PR 3663 modifies /etc/mtree/special so that a lot of directories and
files that won't exist in every installation are "optional".
Looks like a good idea, and I can't see fault in it. I may be missing
something obvious though.