Re: umask for init
Just for further info If you want a whole process in locking up Linux go to www.securityportal.com and Select the Linux tab. In the left hand frame, there should be a section labelled Securing Linux. Follow that to help plug further holes. Dan Hutchinson Dan Christensen <[EMAIL PROTECTED]> wrote: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if > a Debian system is susceptible to this problem, and if so, which > files may have been created world-writable? > > Thanks, > > Dan > > -- > Dan Christensen > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com
Re: umask for init
Just for further info If you want a whole process in locking up Linux go to www.securityportal.com and Select the Linux tab. In the left hand frame, there should be a section labelled Securing Linux. Follow that to help plug further holes. Dan Hutchinson Dan Christensen <[EMAIL PROTECTED]> wrote: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if > a Debian system is susceptible to this problem, and if so, which > files may have been created world-writable? > > Thanks, > > Dan > > -- > Dan Christensen > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Thanks everybody, it's nice to have an active security ml Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia -
Re: umask for init
Dan Christensen <[EMAIL PROTECTED]> writes: > No need to reboot or restart init, I think. Actually, on second thought, rebooting is probably a good idea, since there are probably lots of processes already running with the wrong umask. Dan
Re: umask for init
Ethan Benson <[EMAIL PROTECTED]> writes: > neh. messing around with what /sbin/init is nasty. better solution > is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not > totally sure how this works rtfm...) Here is what I put in /etc/initscript, which does the trick according to Nick Name's test in a previous message. # Created by jdc to protect against bad umask settings in the # kernel, e.g. kernel versions 2.4.6 and a few others. # Init uses this to start all processes it wants to start. # See initscript(5). umask 022 eval exec "$4" No need to reboot or restart init, I think. Dan
Re: umask for init
Thanks everybody, it's nice to have an active security ml Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Dan Christensen <[EMAIL PROTECTED]> writes: > No need to reboot or restart init, I think. Actually, on second thought, rebooting is probably a good idea, since there are probably lots of processes already running with the wrong umask. Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Ethan Benson <[EMAIL PROTECTED]> writes: > neh. messing around with what /sbin/init is nasty. better solution > is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not > totally sure how this works rtfm...) Here is what I put in /etc/initscript, which does the trick according to Nick Name's test in a previous message. # Created by jdc to protect against bad umask settings in the # kernel, e.g. kernel versions 2.4.6 and a few others. # Init uses this to start all processes it wants to start. # See initscript(5). umask 022 eval exec "$4" No need to reboot or restart init, I think. Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
On Tue, Jul 24, 2001 at 02:24:41AM +0200, Nick Name wrote: > More seriously, a quick fix could be, if you can't switch back 2.2.19 or > go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init > a script like this, everything is untested of course: > > #!/bin/sh > umask 022 > exec /sbin/init neh. messing around with what /sbin/init is nasty. better solution is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not totally sure how this works rtfm...) or patching init to call umask(022); the kernel developers seem to beleive the latter is the correct solution, i tend to agree to that, but i don't agree that the kernel should start processes with a broken umask to begin with. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpGQRIPxC2av.pgp Description: PGP signature
Re: umask for init
On Tue, Jul 24, 2001 at 02:24:41AM +0200, Nick Name wrote: > More seriously, a quick fix could be, if you can't switch back 2.2.19 or > go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init > a script like this, everything is untested of course: > > #!/bin/sh > umask 022 > exec /sbin/init neh. messing around with what /sbin/init is nasty. better solution is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not totally sure how this works rtfm...) or patching init to call umask(022); the kernel developers seem to beleive the latter is the correct solution, i tend to agree to that, but i don't agree that the kernel should start processes with a broken umask to begin with. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: umask for init
Christian Jaeger <[EMAIL PROTECTED]> writes: > I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it > (/etc/init.d/rcS already has a umask 022 command). And presumably I need to reboot after doing this, right? Dan
Re: umask for init
Ethan Benson <[EMAIL PROTECTED]> writes: > On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: > > I read that certain kernel versions don't set the umask for init > > correctly (2.4.6 is one of them, I think). Does anyone know if > > a Debian system is susceptible to this problem, and if so, which > > files may have been created world-writable? > > solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally > fixes this and sets the default umask back to 022. You can also set the umask used by init to spawn processes in /etc/initscript. See initscript(5). -sami.
Re: umask for init
Il giorno Mon, 23 Jul 2001 15:58:33 -0800 Ethan Benson <[EMAIL PROTECTED]> ha scritto: > kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process > created by the kernel, including init started with umask 000 and > remained that way unless init changed it itself. > Sincerely thanks. I did not know of this bug and I got a machine running 2.4.6. For others, here's a quick way to test if you have the bug: In /etc/inittab: # Action on special keypress (ALT-UpArrow). kb::kbrequest:/usr/bin/touch /tmp/crack_this_system_with_me then, as root obviously: telinit q Then press Alt+UpArrow and ls -la /tmp/crack_this_system_with_me If this is rw-rw-rw well, you will agree, you have the feature ... er ... the bug! Tell me this and your ip, and do nothing else, I'll repair your system : More seriously, a quick fix could be, if you can't switch back 2.2.19 or go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init a script like this, everything is untested of course: #!/bin/sh umask 022 exec /sbin/init Have fun! Bye Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia -
Re: umask for init
Dan Christensen <[EMAIL PROTECTED]> writes: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if a Debian > system is susceptible to this problem, and if so, which files may have > been created world-writable? I think 2.4.6 was one of them; amongst other things, check any files created/touched/downloaded by cron. I've grown a load of perm-666 files in /var/cache/apt/archives/ as a result of a daily dist-upgrade download scheduled for 2am with cron. Otherwise, erm, `man find`? ~Tim -- The blade cuts clean through|[EMAIL PROTECTED] the island soil, |http://spodzone.org.uk/ The years roll back and | the world grows small |
Re: umask for init
At 16:53 Uhr -0400 23.7.2001, Dan Christensen wrote: Does anyone know if a Debian system is susceptible to this problem, it is and if so, which files may have been created world-writable? Files from quite many servers: look in /var/run, for example (another place is /tmp). I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it (/etc/init.d/rcS already has a umask 022 command). chj
Re: umask for init
On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if > a Debian system is susceptible to this problem, and if so, which > files may have been created world-writable? kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process created by the kernel, including init started with umask 000 and remained that way unless init changed it itself. debian's init does NOT change the umask, and even though there is a umask 022 in /etc/init.d/rcS that is not enough. the result is most .pid files in /var/run/* will be created world writable with 0666 permissions as well as any other file created in the boot process, including: (if it did not exist at boot time) /lib/modules/`uname -r`/modules.dep this is a gaping root hole. /etc/modules.conf (if you have alsa-* packages installed which run update-modules in the initscript). this is another gaping root hole. there are likely more, it depends on what packages you have installed with initscripts, since most of them don't alter thier umask either in the initscript or via the program itself any file created by it will be world writable, depending on what the file is it can be a severe security hole. solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally fixes this and sets the default umask back to 022. after fixing your kernel it is highly advisable to check your system for world writable files and make sure any that are found are supposed to be that way: find / -perm +0002 ! -type l ! -type c -ls the ! -type l ! -type c ignores symlinks (which are always mode 0777) and character device files (all unused ptys are supposed to be 0666 so including this in your find will clutter the output to the point of unusability) -- Ethan Benson http://www.alaska.net/~erbenson/ pgppiPWysg2pl.pgp Description: PGP signature
Re: umask for init
Christian Jaeger <[EMAIL PROTECTED]> writes: > I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it > (/etc/init.d/rcS already has a umask 022 command). And presumably I need to reboot after doing this, right? Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Ethan Benson <[EMAIL PROTECTED]> writes: > On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: > > I read that certain kernel versions don't set the umask for init > > correctly (2.4.6 is one of them, I think). Does anyone know if > > a Debian system is susceptible to this problem, and if so, which > > files may have been created world-writable? > > solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally > fixes this and sets the default umask back to 022. You can also set the umask used by init to spawn processes in /etc/initscript. See initscript(5). -sami. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Il giorno Mon, 23 Jul 2001 15:58:33 -0800 Ethan Benson <[EMAIL PROTECTED]> ha scritto: > kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process > created by the kernel, including init started with umask 000 and > remained that way unless init changed it itself. > Sincerely thanks. I did not know of this bug and I got a machine running 2.4.6. For others, here's a quick way to test if you have the bug: In /etc/inittab: # Action on special keypress (ALT-UpArrow). kb::kbrequest:/usr/bin/touch /tmp/crack_this_system_with_me then, as root obviously: telinit q Then press Alt+UpArrow and ls -la /tmp/crack_this_system_with_me If this is rw-rw-rw well, you will agree, you have the feature ... er ... the bug! Tell me this and your ip, and do nothing else, I'll repair your system : More seriously, a quick fix could be, if you can't switch back 2.2.19 or go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init a script like this, everything is untested of course: #!/bin/sh umask 022 exec /sbin/init Have fun! Bye Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
At 16:53 Uhr -0400 23.7.2001, Dan Christensen wrote: >Does anyone know if >a Debian system is susceptible to this problem, it is > and if so, which >files may have been created world-writable? Files from quite many servers: look in /var/run, for example (another place is /tmp). I have put a line 'umask 022' at the top of /etc/init.d/rc to solve it (/etc/init.d/rcS already has a umask 022 command). chj -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
umask for init
I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? Thanks, Dan -- Dan Christensen [EMAIL PROTECTED]
Re: umask for init
On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if > a Debian system is susceptible to this problem, and if so, which > files may have been created world-writable? kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process created by the kernel, including init started with umask 000 and remained that way unless init changed it itself. debian's init does NOT change the umask, and even though there is a umask 022 in /etc/init.d/rcS that is not enough. the result is most .pid files in /var/run/* will be created world writable with 0666 permissions as well as any other file created in the boot process, including: (if it did not exist at boot time) /lib/modules/`uname -r`/modules.dep this is a gaping root hole. /etc/modules.conf (if you have alsa-* packages installed which run update-modules in the initscript). this is another gaping root hole. there are likely more, it depends on what packages you have installed with initscripts, since most of them don't alter thier umask either in the initscript or via the program itself any file created by it will be world writable, depending on what the file is it can be a severe security hole. solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally fixes this and sets the default umask back to 022. after fixing your kernel it is highly advisable to check your system for world writable files and make sure any that are found are supposed to be that way: find / -perm +0002 ! -type l ! -type c -ls the ! -type l ! -type c ignores symlinks (which are always mode 0777) and character device files (all unused ptys are supposed to be 0666 so including this in your find will clutter the output to the point of unusability) -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: umask for init
Dan Christensen <[EMAIL PROTECTED]> writes: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if a Debian > system is susceptible to this problem, and if so, which files may have > been created world-writable? I think 2.4.6 was one of them; amongst other things, check any files created/touched/downloaded by cron. I've grown a load of perm-666 files in /var/cache/apt/archives/ as a result of a daily dist-upgrade download scheduled for 2am with cron. Otherwise, erm, `man find`? ~Tim -- The blade cuts clean through|[EMAIL PROTECTED] the island soil, |http://spodzone.org.uk/ The years roll back and | the world grows small | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
umask for init
I read that certain kernel versions don't set the umask for init correctly (2.4.6 is one of them, I think). Does anyone know if a Debian system is susceptible to this problem, and if so, which files may have been created world-writable? Thanks, Dan -- Dan Christensen [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]