From spidey@anarcat.dyndns.org  Mon Apr 10 13:52:24 2000
Return-Path: <spidey@anarcat.dyndns.org>
Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20])
	by hub.freebsd.org (Postfix) with ESMTP id 8968237B6A9
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Apr 2000 13:52:06 -0700 (PDT)
	(envelope-from spidey@anarcat.dyndns.org)
Received: by anarcat.dyndns.org (Postfix, from userid 1000)
	id 4E0C219BC; Mon, 10 Apr 2000 16:51:13 -0400 (EDT)
Message-Id: <20000410205113.4E0C219BC@anarcat.dyndns.org>
Date: Mon, 10 Apr 2000 16:51:13 -0400 (EDT)
From: The AnarCat <beaupran@iro.umontreal.ca>
Sender: spidey@anarcat.dyndns.org
Reply-To: The AnarCat <beaupran@iro.umontreal.ca>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Do not allow 'operators' to drop to single user via shutdown
X-Send-Pr-Version: 3.2

>Number:         17910
>Category:       bin
>Synopsis:       Do not allow 'operators' to drop to single user via shutdown
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 10 14:00:01 PDT 2000
>Closed-Date:    Tue Apr 11 05:50:36 PDT 2000
>Last-Modified:  Tue Nov 27 18:32:24 PST 2001
>Originator:     Anarcat
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
>Environment:

        FreeBSD 3.4-1999.11.01

>Description:

        The shutdown(8) utility can be used to stop the system so that
it drops to single-user modem, by any user in the operator group. This
situation may not be desirable in the case of "public" workstations. 

For example, say you have some workstations of which the only access is
through the keyboard and monitor. You do not wish to have any user have
root access on these boxes. A user may shutdown(8) the machine, if he's
got the permissions (operator group membership in the default setup) but
should never have single-user access (this also implies that the console
is marked "secure" in /etc/ttys, of course).

>How-To-Repeat:

        User john is in the "operator" group:

login: john
password: 
$ shutdown now
[single user mode]

>Fix:
	
Patch to sbin/shutdown.c:

*** /usr/src/sbin/shutdown/shutdown.c.orig	Thu Sep  9 22:09:39 1999
--- /usr/src/sbin/shutdown/shutdown.c	Mon Apr 10 16:33:27 2000
***************
*** 163,168 ****
--- 163,172 ----
  	if (nosync != NULL && !oflag)
  		usage("-n requires -o");
  
+          /* do not allow anyone else than root to drop to single user */
+         if ((!dohalt) && (!doreboot) && (getuid() != 0))
+                 usage("only root can drop to single user");
+         
  	getoffset(*argv++);
  
  	if (*argv) {



>Release-Note:
>Audit-Trail:

From: Brooks Davis <brooks@one-eyed-alien.net>
To: The AnarCat <beaupran@iro.umontreal.ca>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/17910: Do not allow 'operators' to drop to single user via shutdown
Date: Mon, 10 Apr 2000 14:26:40 -0700

 On Mon, Apr 10, 2000 at 04:51:13PM -0400, The AnarCat wrote:
 > 
 > >Description:
 > 
 >         The shutdown(8) utility can be used to stop the system so that
 > it drops to single-user modem, by any user in the operator group. This
 > situation may not be desirable in the case of "public" workstations. 
 > 
 > For example, say you have some workstations of which the only access is
 > through the keyboard and monitor. You do not wish to have any user have
 > root access on these boxes. A user may shutdown(8) the machine, if he's
 > got the permissions (operator group membership in the default setup) but
 > should never have single-user access (this also implies that the console
 > is marked "secure" in /etc/ttys, of course).
 
 You already metioned the real solution.  Just remove secure from
 /etc/ttys.  In any case, it is delusional to think a machine you provide
 physical access to is secure.  Root is only a floppy disk (or, at most,
 a few case screws and a jumper) away.  Breaking shutdown won't really
 help since you can go to single user at the boot prompt.
 
 -- Brooks
 
 -- 
 Any statement of the form "X is the one, true Y" is FALSE.
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Apr 11 05:50:36 PDT 2000 
State-Changed-Why:  
Asked and answered, closed at the originator's request. :-) 
>Unformatted:
