-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:07 Security Advisory FreeBSD, Inc. Topic: Kerberos 5 su command uses getlogin for authorization Category: krb5, ports Module: crypto/heimdal/appl/su, heimdal Announced: 2002-01-18 Credits: Aaron Affects: FreeBSD 4.4-RELEASE FreeBSD 4.4-STABLE prior to the correction date Ports collection prior to the correction date Corrected: 2002-01-15 21:52:48 UTC (RELENG_4) 2002-01-17 15:45:05 UTC (RELENG_4_4) 2001-10-31 19:58:05 UTC (heimdal port) FreeBSD only: NO 0. Revision History v1.0 2002-01-18 Initial release v1.1 2002-09-09 Corrected date of heimdal port correction I. Background The getlogin and setlogin system calls are used to manage the user name associated with a login session. k5su is a Kerberos 5-enabled su program. Like su, it allows authorized users to `switch user' in order to obtain additional privileges. II. Problem Description The setlogin system call, the use of which is restricted to the superuser, is used to associate a user name with a login session. The getlogin system call is used to retrieve that user name. The setlogin system call is typically used by applications such as login and sshd. The k5su command included with FreeBSD, versions prior to 4.5-RELEASE, and the su command included in the heimdal port, versions prior to heimdal-0.4e_2, use the getlogin system call in order to determine whether the currently logged-in user is `root'. In some circumstances, it is possible for a non-privileged process to have `root' as the login name returned by getlogin. The `k5su' command may be installed as part of FreeBSD when Kerberos 5 support is requested, or it may be installed from the FreeBSD Ports Collection (ports/security/heimdal), in which case it is installed simply as `su'. The Heimdal port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 6000 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.4 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact In some circumstances, process that have been started by root but have given up superuser privileges may be able to invoke `k5su' to regain superuser privileges. IV. Workaround Commands to be executed as root are signified by lines starting with the `#' character. [Kerberos 5 in the base system] Remove the set-user-ID bit from the `k5su' executable by running the following command as root: # chmod u-s /usr/bin/k5su [Heimdal port] Remove the set-user-ID bit from the `su' executable by running the following command as root: # chmod u-s /usr/local/bin/su V. Solution [Kerberos 5 in the base system] NOTE: If the file /usr/bin/k5su does not exist on your system, Kerberos 5 is not installed and you do not need to take any action. Do one of the following: 1) Upgrade your system to 4.4-STABLE or the RELENG_4_4 security branch, dated after the respective correction dates. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4-RELEASE and 4.4-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/k5su.patch # cd /usr/src/kerberos5/lib # env MAKE_KERBEROS5=yes make depend # env MAKE_KERBEROS5=yes make all install # cd /usr/src/kerberos5/usr.bin/k5su # env MAKE_KERBEROS5=yes make depend # env MAKE_KERBEROS5=yes make all install [Heimdal port] Do one of the following: 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/heimdal-0.4e_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/security/heimdal-0.4e_2.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the heimdal port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. [Kerberos 5 in the base system] Path Revision Branch - ------------------------------------------------------------------------- src/crypto/heimdal/appl/su/su.c HEAD 1.1.1.4 RELENG_4 1.1.1.1.2.2 RELENG_4_4 1.1.1.1.2.1.4.1 RELENG_4_3 1.1.1.1.2.1.2.1 - ------------------------------------------------------------------------- [Heimdal port] Path Revision - ------------------------------------------------------------------------- ports/security/heimdal/Makefile 1.46 ports/security/heimdal/patch-appl::su::su.c 1.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPXzS0lUuHi5z0oilAQEpXQP9G3KRTXz9IBC+S+VwKwIx6lqZ0omDL8Ec 8AqhmzGyTxGikBdWL3qSZH3Ab51R9QCAd8JnN08HqrAqduzIzzG7zrmWn7r643zO CZQH/w/1n9bwvt4nSqG8h3xwwEKKxtSKJC1/gJSPEafvVyXumOPlrcpdDktwUBHE UaE0lGT+43U= =v8Mv -----END PGP SIGNATURE-----