From nobody@FreeBSD.org  Fri May 18 04:11:15 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6DFE216A401
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 18 May 2007 04:11:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 5F1B513C458
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 18 May 2007 04:11:15 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4I4BFTl088951
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 18 May 2007 04:11:15 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4I46DaY088461;
	Fri, 18 May 2007 04:06:13 GMT
	(envelope-from nobody)
Message-Id: <200705180406.l4I46DaY088461@www.freebsd.org>
Date: Fri, 18 May 2007 04:06:13 GMT
From: Ighighi<ighighi@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [ports]: VERY SERIOUS security bug in sysutils/eject
X-Send-Pr-Version: www-3.0

>Number:         112754
>Category:       ports
>Synopsis:       VERY SERIOUS security bug in sysutils/eject
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 18 04:20:01 GMT 2007
>Closed-Date:    Sat Aug 04 09:33:42 GMT 2007
>Last-Modified:  Sat Aug  4 09:40:02 GMT 2007
>Originator:     Ighighi
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD orion 6.2-STABLE FreeBSD 6.2-STABLE #0: Wed May 16 13:47:58 VET 2007     root@orion:/usr/obj/usr/src/sys/CUSTOM  i386
>Description:
/usr/local/sbin/eject is installed setuid to root by default and the -f (force) option can be used by ANY user to unmount virtually any partition in /dev that he/she didn't mount.

NOTES:

+ 1.- The most sensible way to do this would be to call /sbin/umount directly after dropping privileges or import its functionality and/or check both the MNT_USER flag in struct statfs's f_flags and f_owner and the real user ID.  All of this is too much overkill for a program that essentially performs the same function that commands such as cdcontrol(8) and camcontrol(8) already do for ATAPI & ATAPI-CAM/SCSI CD-ROMS respectively, without root privileges and better... with /etc/devfs.conf providing enough flexibility and being well documented in the handbook.

+ 2.- This program seems to me to be to have been coded with absolutely no security in mind at all as if the "BINMODE= 4555" line in the Makefile was added later.  It doesn't check the return value of some functions (the call to strdup() for example), no use of "const char *", uninitialized integers (e.g, "sts"), etc.  Check also and line 145 of eject.c .  The output of "gcc -Wall" (after the system's patches have been applied) is:
$ gcc -Wall eject.c
eject.c:63: warning: return type defaults to `int'
eject.c: In function `check_device':
eject.c:145: warning: char format, pointer arg (arg 3)
eject.c: In function `unmount_fs':
eject.c:192: warning: left-hand operand of comma expression has no effect

+ 3.- It happens independently of the value of vfs.usermount.  (This is expected behavior anyway).

+ 4.- A shell script of mine is available to anyone upon request that extends the functionality of eject(1) that adds a -t option to close the CD tray that was never implemented by judging at CVS logs.  It could be extended to use camcontrol so "camcontrol eject -n cd -u 0 -v" is analogous to "cdcontrol -f /dev/acd0 eject" to manage /dev/cdX devices.

+ 5.- A few months back, when the ext2fs wasn't as stable as it is today, I could have panicked my system with the Poc above.

+ 6. I just hope no problem arises from this advisory so no karma will ever reach me. =)
>How-To-Repeat:
$ /bin/ls -lo /usr/local/sbin/eject
-r-sr-xr-x  1 root  wheel  - 5872 Jun 26  2006 /usr/local/sbin/eject

$ id
uid=501(ighighi) gid=501(ighighi) groups=501(ighighi),69(network)

$ /sbin/mount | grep ad3s7
/dev/ad3s7 on /mnt/linux/var (ext2fs, local, noatime, nosuid, read-only)

$ /usr/local/sbin/eject -vf /dev/ad3s7
eject: using device
eject: /dev/ad3s7 mounted on /mnt/linux/var
eject: force unmounting /mnt/linux/var
eject: ejecting media from /dev/ad3s7
eject: Inappropriate ioctl for device

$ /sbin/mount -v | grep ad3s7

>Fix:
Attached patch available (copy it to /usr/ports/sysutils/eject/files/ as patch-Makefile and reinstall) or simply run:
chmod -s /usr/local/sbin/eject


Patch attached with submission follows:

#
# (c) 2007 by Ighighi
#
# To enable this patch copy it to /usr/ports/sysutils/eject/files
# and reinstall
#

--- Makefile.orig	Tue Jan  4 10:32:55 2000
+++ Makefile	Thu May 17 05:25:57 2007
@@ -5,7 +5,7 @@
 PROG= eject
 
 BINOWN= root
-BINMODE= 4555
+BINMODE= 555
 BINDIR= ${PREFIX}/sbin
 
 MANDIR= ${PREFIX}/man/man

>Release-Note:
>Audit-Trail:

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/112754: commit references a PR
Date: Thu, 31 May 2007 12:17:12 +0000 (UTC)

 simon       2007-05-31 12:17:06 UTC
 
   FreeBSD ports repository
 
   Modified files:
     sysutils/eject       Makefile 
   Log:
   For now mark FORBIDDEN since it's setuid root and has security issues.
   This should probably be handled as mentioned in the PR, but I don't have
   time to look more into this right now.
   
   PR:             ports/112754
   Prodded by:     Ighighi<ighighi@gmail.com>
   
   Revision  Changes    Path
   1.12      +2 -0      ports/sysutils/eject/Makefile
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Cristian KLEIN <cristi@net.utcluj.ro>
To: bug-followup@FreeBSD.org,  ighighi@gmail.com
Cc:  
Subject: Re: ports/112754: VERY SERIOUS security bug in sysutils/eject
Date: Wed, 18 Jul 2007 15:01:17 +0300

 Besides the change suggested by the reporter, I would also recommend the 
 following pkg-message:
 
 NOTE: This port is no longer installed with SETUID, because it allows 
 non-privileged users to unmount a filesystem. To enable your users to 
 eject the CD-ROM, install security/sudo and enter the following line in 
 /usr/local/etc/sudoers:
 
 %users  ALL=/usr/local/sbin/eject /dev/acd0
 

From: "Ighighi Ighighi" <ighighi@gmail.com>
To: "Cristian KLEIN" <cristi@net.utcluj.ro>
Cc: bug-followup@freebsd.org
Subject: Re: ports/112754: VERY SERIOUS security bug in sysutils/eject
Date: Wed, 18 Jul 2007 20:01:30 -0400

 The setuid bit isn't necessary...
 
 It's documented in the handbook how to setup /etc/devfs.conf.
 Most people use the "operator" group for this but you may as well create "media"
 
 $ grep acd0 /etc/devfs.conf
 link    acd0    cdrom
 own     acd0    root:media
 perm    acd0    0660
 
 So, if "cdcontrol -f /dev/acd0 eject" works, there's no need at all
 for setuid eject(8).
 
 IMO, it's bad practice to abuse such bits when permissions suffice.
 
 On 7/18/07, Cristian KLEIN <cristi@net.utcluj.ro> wrote:
 > Besides the change suggested by the reporter, I would also recommend the
 > following pkg-message:
 >
 > NOTE: This port is no longer installed with SETUID, because it allows
 > non-privileged users to unmount a filesystem. To enable your users to
 > eject the CD-ROM, install security/sudo and enter the following line in
 > /usr/local/etc/sudoers:
 >
 > %users  ALL=/usr/local/sbin/eject /dev/acd0
 >
 >
State-Changed-From-To: open->closed 
State-Changed-By: sem 
State-Changed-When: Sat Aug 4 09:33:41 UTC 2007 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112754 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/112754: commit references a PR
Date: Sat,  4 Aug 2007 09:33:27 +0000 (UTC)

 sem         2007-08-04 09:33:17 UTC
 
   FreeBSD ports repository
 
   Modified files:
     sysutils/eject       Makefile 
   Added files:
     sysutils/eject       pkg-message 
     sysutils/eject/files patch-Makefile 
   Log:
   - Remove FORBIDDEN
   - Add a patch to prevent install suid executable and message about it.
   
   PR:             ports/112754
   Submitted by:   Ighighi <ighighi@gmail.com>, Cristian KLEIN <cristi@net.utcluj.ro>
   
   Revision  Changes    Path
   1.13      +2 -3      ports/sysutils/eject/Makefile
   1.1       +11 -0     ports/sysutils/eject/files/patch-Makefile (new)
   1.1       +8 -0      ports/sysutils/eject/pkg-message (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
