From ericm@gauss.math.montana.edu Tue Apr 21 16:15:53 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA21030 for <bugs@RT-11.MIT.EDU>; Tue, 21 Apr 1998 16:15:51 -0400
Received: from gauss.math.montana.edu by MIT.EDU with SMTP
id AA09716; Tue, 21 Apr 98 16:15:40 EDT
Received: (from ericm@localhost)
by gauss.math.montana.edu (5.65/DEC-Ultrix/4.3/) id OAA00350;
Tue, 21 Apr 1998 14:15:39 -0600 (MDT)
Message-Id: <199804212015.OAA00350@gauss.math.montana.edu>
Date: Tue, 21 Apr 1998 14:15:39 -0600 (MDT)
From: ericm@math.montana.edu
Reply-To: ericm@math.montana.edu
To: krb5-bugs@MIT.EDU
Subject: chdir(2) problem
X-Send-Pr-Version: 3.99
Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717
College of Letters and Science (406)994-1788
Montana State University ericm@math.montana.edu
solaris 2.6, netbsd 1.3.1
System: SunOS gauss 5.6 Generic_105181-04 sun4u sparc SUNW,Ultra-2
Architecture: sun4
check to see if the user login directory is valid, the
assumption is made that root can chdir(2) to the user's
home directory.
to an account with $HOME chmod 700. chdir(2) will fail
and login will be to system root dir.
seteuid(2) to user before chdir(2), then seteuid back to root
after chdir(2) (see patch).
src/appl/gssftp/ftpd/ftpd.c:
move setuid(2) call to just before chdir(2) call to home
directory (see patch).
Here's a patch:
*** krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c.orig Mon Apr 20 16:40:59 1998
--- krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c Mon Apr 20 16:41:05 1998
***************
*** 837,842 ****
--- 837,847 ----
ftp_logwtmp(ttyline, pw->pw_name, remotehost);
logged_in = 1;
+ if (seteuid((uid_t)pw->pw_uid) < 0) {
+ reply(550, "Can't set uid.");
+ goto bad;
+ }
+
if (guest) {
/*
* We MUST do a chdir() after the chroot. Otherwise
***************
*** 854,863 ****
goto bad;
} else
lreply(230, "No directory! Logging in with home=/");
- }
- if (seteuid((uid_t)pw->pw_uid) < 0) {
- reply(550, "Can't set uid.");
- goto bad;
}
if (guest) {
reply(230, "Guest login ok, access restrictions apply.");
--- 859,864 ----
*** krb5-1.0.5/src/appl/bsd/login.c.orig Fri Feb 6 20:41:18 1998
--- krb5-1.0.5/src/appl/bsd/login.c Tue Apr 21 12:00:25 1998
***************
*** 401,406 ****
--- 401,407 ----
struct passwd *pwd;
static char *salt;
+ uid_t root_uid;
#ifdef HAVE_SHADOW
struct spwd *spwd;
***************
*** 1542,1553 ****
--- 1543,1569 ----
sleepexit(0);
}
#endif
+ /* root uid is likely 0, but should check just in case */
+ root_uid = getuid();
+
+ /* Should this call fail, we might login to / instead of our
+ home dir if root hasn't permissions on cwd, which is okay */
+ seteuid((uid_t) pwd->pw_uid);
+
if (chdir(pwd->pw_dir) < 0) {
printf("No directory %s!\n", pwd->pw_dir);
if (chdir("/"))
exit(0);
pwd->pw_dir = "/";
printf("Logging in with home = \"/\".\n");
+ }
+
+ /* switch back to root to finish login proceedure
+ if this call fails, things will be goofy */
+ if(seteuid(root_uid) < 0) {
+ syslog(LOG_ERR,
+ "seteuid: %s",
+ error_message(errno));
}
/* nothing else left to fail -- really log in */
From: Sam Hartman <hartmans@MIT.EDU>
To: ericm@math.montana.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/582: chdir(2) problem
Date: 02 May 1998 14:59:09 -0400
Note that we probably want to use krb5_seteuid in ftpd in general.
For login, it's unclear what we want to do. I do not want to
introduce any calls to krb5_setuid into a new program unless we have
to do so because POSIX does not guarantee that function will be able
to work. It might be more reasonable to have login check to see if
directory is valid *after* calling setuid.
Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login.
From: Eric McWhorter <ericm@gauss.math.montana.edu>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Subject: Re: krb5-appl/582: chdir(2) problem
Date: Mon, 4 May 1998 07:53:37 -0600 (MDT)
Sam Hartman writes:
My code doesn't work, so don't use it. :) I broke anon ftp. Checking
after setuid sounds okay.
But shouldn't the daemons be able to read .k5login as the user rather
than root, in other words, shouldn't the daemons all seteuid to the user
before working with .k5login rather than assuming/insisting root
has/have access?
Thanks!
--
Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717
College of Letters and Science (406)994-1788
Montana State University ericm@math.montana.edu
[Matthew D. Hancher -- Fri Aug 7 00:52:36 EDT 1998]
I fixed this for ftpd, by moving the seteuid before the chdir() and moving
the guest chroot() even earlier. I have not yet done anything with login.
-mdh
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA21030 for <bugs@RT-11.MIT.EDU>; Tue, 21 Apr 1998 16:15:51 -0400
Received: from gauss.math.montana.edu by MIT.EDU with SMTP
id AA09716; Tue, 21 Apr 98 16:15:40 EDT
Received: (from ericm@localhost)
by gauss.math.montana.edu (5.65/DEC-Ultrix/4.3/) id OAA00350;
Tue, 21 Apr 1998 14:15:39 -0600 (MDT)
Message-Id: <199804212015.OAA00350@gauss.math.montana.edu>
Date: Tue, 21 Apr 1998 14:15:39 -0600 (MDT)
From: ericm@math.montana.edu
Reply-To: ericm@math.montana.edu
To: krb5-bugs@MIT.EDU
Subject: chdir(2) problem
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 582
>Category: krb5-appl
>Synopsis: problem with chdir(2) in login.krb5
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Apr 21 16:16:01 EDT 1998
>Last-Modified: Fri Aug 07 00:54:51 EDT 1998
>Originator: Eric McWhorter
>Organization:
Montana State University>Category: krb5-appl
>Synopsis: problem with chdir(2) in login.krb5
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Apr 21 16:16:01 EDT 1998
>Last-Modified: Fri Aug 07 00:54:51 EDT 1998
>Originator: Eric McWhorter
>Organization:
Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717
College of Letters and Science (406)994-1788
Montana State University ericm@math.montana.edu
Show quoted text
>Release: krb5-1.0.5
>Environment:
sun ultrasparc 2170, dec mips 5000/240>Environment:
solaris 2.6, netbsd 1.3.1
System: SunOS gauss 5.6 Generic_105181-04 sun4u sparc SUNW,Ultra-2
Architecture: sun4
Show quoted text
>Description:
When src/appl/bsd/login.c and src/appl/gssftp/ftpd/ftpd.ccheck to see if the user login directory is valid, the
assumption is made that root can chdir(2) to the user's
home directory.
Show quoted text
>How-To-Repeat:
nfs export home dir with root remapped to nobody, loginto an account with $HOME chmod 700. chdir(2) will fail
and login will be to system root dir.
Show quoted text
>Fix:
src/appl/bsd/login.c:seteuid(2) to user before chdir(2), then seteuid back to root
after chdir(2) (see patch).
src/appl/gssftp/ftpd/ftpd.c:
move setuid(2) call to just before chdir(2) call to home
directory (see patch).
Here's a patch:
*** krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c.orig Mon Apr 20 16:40:59 1998
--- krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c Mon Apr 20 16:41:05 1998
***************
*** 837,842 ****
--- 837,847 ----
ftp_logwtmp(ttyline, pw->pw_name, remotehost);
logged_in = 1;
+ if (seteuid((uid_t)pw->pw_uid) < 0) {
+ reply(550, "Can't set uid.");
+ goto bad;
+ }
+
if (guest) {
/*
* We MUST do a chdir() after the chroot. Otherwise
***************
*** 854,863 ****
goto bad;
} else
lreply(230, "No directory! Logging in with home=/");
- }
- if (seteuid((uid_t)pw->pw_uid) < 0) {
- reply(550, "Can't set uid.");
- goto bad;
}
if (guest) {
reply(230, "Guest login ok, access restrictions apply.");
--- 859,864 ----
*** krb5-1.0.5/src/appl/bsd/login.c.orig Fri Feb 6 20:41:18 1998
--- krb5-1.0.5/src/appl/bsd/login.c Tue Apr 21 12:00:25 1998
***************
*** 401,406 ****
--- 401,407 ----
struct passwd *pwd;
static char *salt;
+ uid_t root_uid;
#ifdef HAVE_SHADOW
struct spwd *spwd;
***************
*** 1542,1553 ****
--- 1543,1569 ----
sleepexit(0);
}
#endif
+ /* root uid is likely 0, but should check just in case */
+ root_uid = getuid();
+
+ /* Should this call fail, we might login to / instead of our
+ home dir if root hasn't permissions on cwd, which is okay */
+ seteuid((uid_t) pwd->pw_uid);
+
if (chdir(pwd->pw_dir) < 0) {
printf("No directory %s!\n", pwd->pw_dir);
if (chdir("/"))
exit(0);
pwd->pw_dir = "/";
printf("Logging in with home = \"/\".\n");
+ }
+
+ /* switch back to root to finish login proceedure
+ if this call fails, things will be goofy */
+ if(seteuid(root_uid) < 0) {
+ syslog(LOG_ERR,
+ "seteuid: %s",
+ error_message(errno));
}
/* nothing else left to fail -- really log in */
Show quoted text
>Audit-Trail:
From: Sam Hartman <hartmans@MIT.EDU>
To: ericm@math.montana.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/582: chdir(2) problem
Date: 02 May 1998 14:59:09 -0400
Note that we probably want to use krb5_seteuid in ftpd in general.
For login, it's unclear what we want to do. I do not want to
introduce any calls to krb5_setuid into a new program unless we have
to do so because POSIX does not guarantee that function will be able
to work. It might be more reasonable to have login check to see if
directory is valid *after* calling setuid.
Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login.
From: Eric McWhorter <ericm@gauss.math.montana.edu>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Subject: Re: krb5-appl/582: chdir(2) problem
Date: Mon, 4 May 1998 07:53:37 -0600 (MDT)
Sam Hartman writes:
Show quoted text
> Note that we probably want to use krb5_seteuid in ftpd in general.
> For login, it's unclear what we want to do. I do not want to
> introduce any calls to krb5_setuid into a new program unless we have
> to do so because POSIX does not guarantee that function will be able
> to work. It might be more reasonable to have login check to see if
> directory is valid *after* calling setuid.
> For login, it's unclear what we want to do. I do not want to
> introduce any calls to krb5_setuid into a new program unless we have
> to do so because POSIX does not guarantee that function will be able
> to work. It might be more reasonable to have login check to see if
> directory is valid *after* calling setuid.
My code doesn't work, so don't use it. :) I broke anon ftp. Checking
after setuid sounds okay.
Show quoted text
> Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login.
But shouldn't the daemons be able to read .k5login as the user rather
than root, in other words, shouldn't the daemons all seteuid to the user
before working with .k5login rather than assuming/insisting root
has/have access?
Thanks!
--
Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717
College of Letters and Science (406)994-1788
Montana State University ericm@math.montana.edu
Show quoted text
>Unformatted:
[Matthew D. Hancher -- Fri Aug 7 00:52:36 EDT 1998]
I fixed this for ftpd, by moving the seteuid before the chdir() and moving
the guest chroot() even earlier. I have not yet done anything with login.
-mdh