From pavalos@theshell.com  Sat Nov 17 22:10:37 2001
Return-Path: <pavalos@theshell.com>
Received: from theshell.com (arsenic.theshell.com [63.236.138.5])
	by hub.freebsd.org (Postfix) with SMTP id 83AAF37B405
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 17 Nov 2001 22:10:36 -0800 (PST)
Received: (qmail 43987 invoked by uid 500); 18 Nov 2001 06:10:36 -0000
Message-Id: <20011118061036.43986.qmail@theshell.com>
Date: 18 Nov 2001 06:10:36 -0000
From: Peter Avalos <pavalos@theshell.com>
Reply-To: Peter Avalos <pavalos@theshell.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: setuid w/o immutable flag
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32072
>Category:       bin
>Synopsis:       setuid w/o immutable flag
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 17 22:20:01 PST 2001
>Closed-Date:    Wed Feb 11 07:41:03 PST 2004
>Last-Modified:  Wed Feb 11 07:41:03 PST 2004
>Originator:     Peter Avalos
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD arsenic.theshell.com 4.4-STABLE FreeBSD 4.4-STABLE #0: Sat Nov 17 15:44:56 PST 2001 pavalos@arsenic.theshell.com:/usr/obj/usr/src/sys/ARSENIC i386


	
>Description:
	It seems smart to set the immutable flag on files that are installed
setuid. There are some binaries that do not get the the immutable flag set
when they are installed. If someone did acquire root (all of these files are
setuid root) then they wouldn't be able to replace the binary with a trojanned
one if securelevel > 0 and schg set.
>How-To-Repeat:
	
>Fix:
Below are some unified diffs for some makefiles that install setuid binaries
w/o the immutable flag. I'm not 100% confident about these diffs, and I run a
RELENG_4 box so caveat emptor. Most of the diffs are against HEAD, except for
keyinfo and keyinit which are only in RELENG_4. If I'm totally off my rocker,
feel free to close this PR.


Index: sbin/ping/Makefile
===================================================================
RCS file: /home/ncvs/src/sbin/ping/Makefile,v
retrieving revision 1.16
diff -u -r1.16 Makefile
--- sbin/ping/Makefile	13 Sep 2001 06:48:15 -0000	1.16
+++ sbin/ping/Makefile	18 Nov 2001 05:32:24 -0000
@@ -5,6 +5,7 @@
 MAN=	ping.8
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 CFLAGS+=-Wall -Wmissing-prototypes
 .if ${MACHINE_ARCH} == "alpha"
 CFLAGS+=-fno-builtin	# GCC's builtin memcpy doesn't do unaligned copies
Index: sbin/ping6/Makefile
===================================================================
RCS file: /home/ncvs/src/sbin/ping6/Makefile,v
retrieving revision 1.7
diff -u -r1.7 Makefile
--- sbin/ping6/Makefile	13 Sep 2001 06:48:15 -0000	1.7
+++ sbin/ping6/Makefile	18 Nov 2001 05:33:29 -0000
@@ -7,6 +7,7 @@
 
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 
 LDADD=	-lipsec -lmd
 DPADD= ${LIBIPSEC} ${LIBMD}
Index: sbin/shutdown/Makefile
===================================================================
RCS file: /home/ncvs/src/sbin/shutdown/Makefile,v
retrieving revision 1.7
diff -u -r1.7 Makefile
--- sbin/shutdown/Makefile	13 Sep 2001 06:48:15 -0000	1.7
+++ sbin/shutdown/Makefile	18 Nov 2001 05:42:35 -0000
@@ -7,5 +7,6 @@
 BINOWN=	root
 BINGRP=	operator
 BINMODE=4550
+INSTALLFLAGS=-fschg
 
 .include <bsd.prog.mk>
Index: usr.bin/at/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/at/Makefile,v
retrieving revision 1.13
diff -u -r1.13 Makefile
--- usr.bin/at/Makefile	13 Sep 2001 06:48:16 -0000	1.13
+++ usr.bin/at/Makefile	18 Nov 2001 05:43:09 -0000
@@ -14,6 +14,7 @@
 
 BINOWN=	root
 BINMODE= 4555
+INSTALLFLAGS=-fschg
 CLEANFILES+= at.1
 
 at.1: at.man
Index: usr.bin/chpass/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/chpass/Makefile,v
retrieving revision 1.24
diff -u -r1.24 Makefile
--- usr.bin/chpass/Makefile	13 Sep 2001 06:48:16 -0000	1.24
+++ usr.bin/chpass/Makefile	18 Nov 2001 05:43:40 -0000
@@ -9,6 +9,7 @@
 	yppasswd_private_clnt.c yppasswd_private_xdr.c
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 .PATH:	${.CURDIR}/../../usr.sbin/pwd_mkdb ${.CURDIR}/../../usr.sbin/vipw \
 	${.CURDIR}/../../libexec/ypxfr \
 	${.CURDIR}/../../usr.sbin/rpc.yppasswdd \
Index: usr.bin/keyinfo/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/keyinfo/Attic/Makefile,v
retrieving revision 1.4.6.2
diff -u -r1.4.6.2 Makefile
--- usr.bin/keyinfo/Makefile	6 Nov 2001 03:36:33 -0000	1.4.6.2
+++ usr.bin/keyinfo/Makefile	18 Nov 2001 05:50:35 -0000
@@ -5,6 +5,7 @@
 DPADD=	${LIBSKEY} ${LIBCRYPT} ${LIBMD}
 LDADD=	-lskey -lcrypt -lmd
 BINMODE=4555
+INSTALLFLAGS=-fschg
 WARNS?=1
 
 .include <bsd.prog.mk>
Index: usr.bin/keyinit/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/keyinit/Attic/Makefile,v
retrieving revision 1.6.6.1
diff -u -r1.6.6.1 Makefile
--- usr.bin/keyinit/Makefile	25 Apr 2001 11:29:24 -0000	1.6.6.1
+++ usr.bin/keyinit/Makefile	18 Nov 2001 05:51:47 -0000
@@ -7,6 +7,7 @@
 CFLAGS+= -D_SKEY_INTERNAL
 
 BINMODE=4555
+INSTALLFLAGS=-fschg
 
 DPADD=	${LIBSKEY} ${LIBCRYPT} ${LIBMD}
 LDADD=	-lskey -lcrypt -lmd
Index: usr.bin/lock/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/lock/Makefile,v
retrieving revision 1.7
diff -u -r1.7 Makefile
--- usr.bin/lock/Makefile	13 Sep 2001 06:48:17 -0000	1.7
+++ usr.bin/lock/Makefile	18 Nov 2001 05:44:05 -0000
@@ -4,6 +4,7 @@
 PROG=	lock
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 DPADD=	${LIBCRYPT}
 LDADD=	-lcrypt
 
Index: usr.bin/quota/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/quota/Makefile,v
retrieving revision 1.4
diff -u -r1.4 Makefile
--- usr.bin/quota/Makefile	13 Sep 2001 06:48:17 -0000	1.4
+++ usr.bin/quota/Makefile	18 Nov 2001 05:44:23 -0000
@@ -4,6 +4,7 @@
 PROG=	quota
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 
 DPADD=	${LIBRPCSVC}
 LDADD=	-lrpcsvc
Index: usr.sbin/mrouted/mrinfo/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mrouted/mrinfo/Makefile,v
retrieving revision 1.15
diff -u -r1.15 Makefile
--- usr.sbin/mrouted/mrinfo/Makefile	13 Sep 2001 06:48:15 -0000	1.15
+++ usr.sbin/mrouted/mrinfo/Makefile	18 Nov 2001 05:44:49 -0000
@@ -7,6 +7,7 @@
 MAN=	mrinfo.8
 BINOWN=	root
 BINMODE= 4555
+INSTALLFLAGS=-fschg
 
 CFLAGS+= -I$S
 
Index: usr.sbin/mrouted/mtrace/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/mrouted/mtrace/Makefile,v
retrieving revision 1.14
diff -u -r1.14 Makefile
--- usr.sbin/mrouted/mtrace/Makefile	13 Sep 2001 06:48:16 -0000	1.14
+++ usr.sbin/mrouted/mtrace/Makefile	18 Nov 2001 05:45:10 -0000
@@ -7,6 +7,7 @@
 MAN=	mtrace.8
 BINOWN=	root
 BINMODE= 4555
+INSTALLFLAGS=-fschg
 
 CFLAGS+= -I$S
 
Index: usr.sbin/pppd/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pppd/Makefile,v
retrieving revision 1.23
diff -u -r1.23 Makefile
--- usr.sbin/pppd/Makefile	24 Jul 2001 02:37:48 -0000	1.23
+++ usr.sbin/pppd/Makefile	18 Nov 2001 05:45:31 -0000
@@ -10,6 +10,7 @@
 BINMODE=4550
 BINOWN=	root
 BINGRP=	dialer
+INSTALLFLAGS=-fschg
 
 CFLAGS+= -DHAVE_PATHS_H
 
Index: usr.sbin/sendmail/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/sendmail/Makefile,v
retrieving revision 1.35
diff -u -r1.35 Makefile
--- usr.sbin/sendmail/Makefile	14 Sep 2001 11:03:34 -0000	1.35
+++ usr.sbin/sendmail/Makefile	18 Nov 2001 05:46:05 -0000
@@ -19,6 +19,7 @@
 	version.c
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 
 # Define the database format to use for aliases et al.
 DBMDEF=	-DNEWDB
Index: usr.sbin/timed/timedc/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/timed/timedc/Makefile,v
retrieving revision 1.7
diff -u -r1.7 Makefile
--- usr.sbin/timed/timedc/Makefile	13 Sep 2001 06:48:16 -0000	1.7
+++ usr.sbin/timed/timedc/Makefile	18 Nov 2001 05:46:26 -0000
@@ -8,6 +8,7 @@
 SRCS=	cmds.c cmdtab.c timedc.c byteorder.c measure.c cksum.c
 BINOWN=	root
 BINMODE= 4555
+INSTALLFLAGS=-fschg
 
 .include "../../Makefile.inc"
 .include <bsd.prog.mk>
Index: usr.sbin/traceroute/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/traceroute/Makefile,v
retrieving revision 1.18
diff -u -r1.18 Makefile
--- usr.sbin/traceroute/Makefile	13 Sep 2001 06:48:16 -0000	1.18
+++ usr.sbin/traceroute/Makefile	18 Nov 2001 05:46:49 -0000
@@ -8,6 +8,7 @@
 SRCS=	version.c traceroute.c
 BINOWN=	root
 BINMODE=4555
+INSTALLFLAGS=-fschg
 CLEANFILES=	version.c
 
 CFLAGS+= -DHAVE_SYS_SELECT_H=1 -DHAVE_SYS_SYSCTL_H=1 \
Index: usr.sbin/traceroute6/Makefile
===================================================================
RCS file: /home/ncvs/src/usr.sbin/traceroute6/Makefile,v
retrieving revision 1.7
diff -u -r1.7 Makefile
--- usr.sbin/traceroute6/Makefile	13 Sep 2001 06:52:42 -0000	1.7
+++ usr.sbin/traceroute6/Makefile	18 Nov 2001 05:47:01 -0000
@@ -17,6 +17,7 @@
 MAN=	traceroute6.8
 BINOWN=	root
 BINMODE= 4555
+INSTALLFLAGS=-fschg
 
 CFLAGS+= -DINET6 -DIPSEC -DHAVE_POLL
 
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: cperciva 
State-Changed-When: Wed Feb 11 07:37:00 PST 2004 
State-Changed-Why:  
This is not a useful security mechanism against an attacker 
who already has root access.  Feel free to read the archives 
and/or post to freebsd-security for a more in-depth discussion 
about the (lack of) merits of securelevel. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=32072 
>Unformatted:
