On Thu, 31 Oct 2002 14:13:58 -0800
Tim Kientzle <[EMAIL PROTECTED]> wrote:
Hi,
> I can think of three concerns:
>
> 1) Fragility. Could a naive sysadmin (or a dying
> disk) break /[s]bin?
> What if the ldconfig hints files were hosed?
> Is ld-elf.so truly bulletproof?
Agreed, and, fortunately, that was taken into account with the
introduction of the /rescue dir:
christine: {48} du -h /rescue
2.4M /rescue
christine: {49} ls -l /rescue
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 [
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 atactl
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 badsect
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 brconfig
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 bunzip2
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 bzcat
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 bzip2
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 cat
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 ccdconfig
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 chgrp
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 chio
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 chmod
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 chown
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 clri
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 cp
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 csh
-r-xr-xr-x 127 root wheel 2535308 Oct 29 23:02 date
[...]
As you all system critical tools are there, statically linked, of
course, so it's no big deal.
> 2) Security. Can LD_LIBRARY_PATH (or other mechanisms)
> be used to deliberately subvert any of these programs?
> (especially the handful of suid/sgid programs here)
Agreed, a quick find shows these set[ug]id programs:
christine: {63} find /bin /sbin -perm -u+s
/bin/rcmd
/sbin/ping
/sbin/ping6
/sbin/shutdown
christine: {64} find /bin /sbin -perm -g+s
/sbin/ccdconfig
/sbin/dump
/sbin/dump_lfs
/sbin/rdump
/sbin/rdump_lfs
I can't come up right now with an idea of how exploiting LD_LIBRARY_PATH
could be useful with any of these, but the possibility exists. OTOH, the
recently added priviledge elevation feature should make it possible to
have *no* setuid programs on a system, and have the kernel elevate
priviledges for certain syscalls, based on the policy created by
systrace.
(I'm talking NetBSD here, this feature is not (yet) in FreeBSD)
> 3) Upgrade breakage. Will this make upgrades more fragile?
> A broken or incomplete upgrade could damage ld-elf.so
> or introduce version skew between /bin and libc.so.
> (Yes, people do rebuild libc without rebuilding world.)
Not a problem because you have /rescue
> That's impressive; FreeBSD's /bin is over 7M by
> itself right now. I would be curious to see
> the results from ls -l /bin on your NetBSD system
> as well.
christine: {66} ls -l /bin
total 2494
-r-xr-xr-x 2 root wheel 8512 Oct 29 23:02 [
-r-xr-xr-x 1 root wheel 8480 Oct 29 22:59 cat
-r-xr-xr-x 1 root wheel 11296 Oct 29 22:59 chio
-r-xr-xr-x 1 root wheel 7008 Oct 29 22:59 chmod
-r-xr-xr-x 1 root wheel 13960 Oct 29 22:59 cp
-r-xr-xr-x 3 root wheel 107976 Oct 29 23:01 cpio
-r-xr-xr-x 1 root wheel 116812 Oct 29 23:00 csh
-r-xr-xr-x 1 root wheel 9936 Oct 29 23:00 date
-r-xr-xr-x 1 root wheel 21068 Oct 29 23:00 dd
-r-xr-xr-x 1 root wheel 9268 Oct 29 23:00 df
-r-xr-xr-x 1 root wheel 5320 Oct 29 23:00 domainname
-r-xr-xr-x 1 root wheel 4892 Oct 29 23:00 echo
-r-xr-xr-x 1 root wheel 43312 Oct 29 23:00 ed
-r-xr-xr-x 1 root wheel 12352 Oct 29 23:00 expr
-r-xr-xr-x 1 root wheel 5572 Oct 29 23:00 hostname
-r-xr-xr-x 1 root wheel 6720 Oct 29 23:00 kill
-r-xr-xr-x 1 root wheel 171864 Oct 29 23:00 ksh
-r-xr-xr-x 1 root wheel 6268 Oct 29 23:00 ln
-r-xr-xr-x 1 root wheel 19108 Oct 29 23:00 ls
-r-xr-xr-x 1 root wheel 6688 Oct 29 23:01 mkdir
-r-xr-xr-x 1 root wheel 13040 Oct 29 23:01 mt
-r-xr-xr-x 1 root wheel 9692 Oct 29 23:01 mv
-r-xr-xr-x 3 root wheel 107976 Oct 29 23:01 pax
-r-xr-xr-x 1 root wheel 27924 Oct 29 23:01 ps
-r-xr-xr-x 1 root wheel 5884 Oct 29 23:01 pwd
-r-sr-xr-x 1 root wheel 9276 Oct 29 23:01 rcmd
-r-xr-xr-x 1 root wheel 16904 Oct 29 23:01 rcp
-r-xr-xr-x 1 root wheel 9536 Oct 29 23:01 rm
lrwxr-xr-x 1 root wheel 18 Aug 18 2001 rmail ->
/usr/libexec/rmail
-r-xr-xr-x 1 root wheel 5568 Oct 29 23:01 rmdir
-r-xr-xr-x 1 root wheel 97548 Oct 29 23:01 sh
-r-xr-xr-x 1 root wheel 5892 Oct 29 23:02 sleep
-r-xr-xr-x 1 root wheel 17860 Oct 29 23:02 stty
-r-xr-xr-x 1 root wheel 4652 Oct 29 23:02 sync
-r-xr-xr-x 1 root wheel 133656 Oct 29 23:02 systrace
-r-xr-xr-x 3 root wheel 107976 Oct 29 23:01 tar
-r-xr-xr-x 2 root wheel 8512 Oct 29 23:02 test
> > ... a knob in /etc/mk.conf to get the old behaviour,
>
> > how about something like that?
>
> Knobs are dangerous because you have to test
> all of the settings.
Knobs are hard, let's go shopping :) Seriously, of course it would need
testing, just because it requires work doesn't mean it's not worth doing
it. rcNG has been in work for a long time. Is it worth it? Absolutely,
try it once and you'll wonder how you could live with the old system, or
even with the sysV symlink crazyness.
Cheers,
--
Miguel Mendez - [EMAIL PROTECTED]
GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt
EnergyHQ :: http://www.energyhq.tk
NetBSD :: Unix without hype
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
