From jgreco@aurora.sol.net  Tue Jul  7 12:18:17 1998
Received: from aurora.sol.net (jgreco@aurora.sol.net [206.55.65.76])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA19124
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 7 Jul 1998 12:18:14 -0700 (PDT)
          (envelope-from jgreco@aurora.sol.net)
Received: (from jgreco@localhost)
	by aurora.sol.net (8.8.8/8.8.8/SNNS-1.02) id OAA02914;
	Tue, 7 Jul 1998 14:17:46 -0500 (CDT)
Message-Id: <199807071917.OAA02914@aurora.sol.net>
Date: Tue, 7 Jul 1998 14:17:45 -0500 (CDT)
From: Joe Greco <jgreco@solaria.sol.net>
To: nathan@rtfm.net
Cc: FreeBSD-gnats-submit@freebsd.org
In-Reply-To: <199807071632.MAA20346@limbo.rtfm.net> from "nathan@rtfm.net" at "Jul 7, 98 12:32:44 pm"
Subject: Patch breaks tripwire security paradigm

>Number:         7200
>Category:       ports
>Synopsis:       Patch breaks tripwire security paradigm
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul  7 12:20:00 PDT 1998
>Closed-Date:    Tue Jul 28 10:54:25 PDT 1998
>Last-Modified:  Tue Jul 28 10:55:25 PDT 1998
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-ports 
Responsible-Changed-By: steve 
Responsible-Changed-When: Sun Jul 12 17:17:19 PDT 1998 
Responsible-Changed-Why:  
Misfiled PR. 
State-Changed-From-To: open->closed 
State-Changed-By: obrien 
State-Changed-When: Tue Jul 28 10:54:25 PDT 1998 
State-Changed-Why:  
Why wasn't this sent in as an addition to PR #7197 rather than a new PR? 
I missed this one and applied the patch you DIDN'T want applied in PR #7197. 
. 
>Unformatted:
This is a very bad patch, and should not be applied to any production
FreeBSD system.

Root's home for many purposes is, indeed, /, and a ".cshrc" and ".profile"
is shipped with FreeBSD to support this.  Many folks, myself included,
choose to expand on the supplied files, for a variety of reasons.

While /root may be where root "logs in" when the system is multiuser, 
these files still need to be protected, and the template was generated 
by properly iterating through a newly installed FreeBSD system, including
all of the existing and likely-to-exist exploitable files and directories.

/root itself is protected by R-2 protections in the default config file,
so your patch incorrectly covers those files twice.

This means that you have just _removed_ protection from several files in
/ that are actively used in singleuser mode.  This means that a perp
could easily alter the files, and the changes would go unnoticed during
a tripwire security check, and the next time you enter singleuser mode,
that "mount -a; rm -fr /" that the perp snuck into /.profile would run. 
You're screwed.  That's why those files were protected.

If you don't like the error messages, then for chrissakes, _edit_ the 
file on your local systems.  It was designed as a prototype example that
covered most of the likely things that can be predicted on a FreeBSD
system.  It isn't designed to be the final config file used by the entire
world.  That's why there's a comment at the top of it that says:

# Generic version for FreeBSD
#  Will need editing...see comments below

I have to edit it on my systems, because I routinely add new root-level
filesystems such as "/www", "/squid", "/news", "/ftp",  etc. to provide 
minimally-invasive hosting of services on a machine.  That's a "local 
thing" that most other sites aren't likely to do, so none of that is
in the default configuration, but anything that _is_ likely and can
result in an exploitable security hole, should be in that file.

It _should_ come out of the box as reasonably strong as possible,
and that's what it does/did before your patch.

To make a long story short, it wasn't broken, those files are listed for
a reason, /root is already protected, and this patch substantially weakens
single-user security.  It's Wrong.  Kill it dead.

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847


> >Submitter-Id:   current-users
> >Originator:     Nathan Dorfman <nathan@rtfm.net>
> >Organization:   RTFM.net
> >Confidential:   no
> >Synopsis:       root's home incorrect in tripwire default config
> >Severity:       non-critical
> >Priority:       medium
> >Category:       ports
> >Release:        FreeBSD 3.0-CURRENT i386
> >Class:          sw-bug
> >Environment: 
> 
> FreeBSD limbo 3.0-CURRENT FreeBSD 3.0-CURRENT #9: Wed Jul  1 00:54:13 EDT 1998
> nathan@limbo:/usr/src/sys/compile/LIMBO  i386
> 
> >Description: 
> 
> 	The default tripwire configuration file for FreeBSD (in
> 	work/tripwire-1.2/configs/tw.conf.freebsd2) seems to assume / as
> 	root's home directory. It checks for dotfiles there. These files
> 	don't exist, and will generate errors in integrity check mode. The
> 	problem is that the *real* files in /root don't get checked.
> 
> >How-To-Repeat: 
> 
> 	Install the tripwire port, and generate, then check a database
> 	using the default configuration.
> 
> >Fix: 
> 	
> 75,81s/^/\/root/ - patch included because, frankly, I need
>                    to pass the time :\
> 
> *** tw.conf.freebsd2	Tue May 12 22:03:19 1998
> --- tw.conf.freebsd2.n	Tue Jul  7 12:20:57 1998
> ***************
> *** 72,84 ****
>   
>   #  First, root's "home"
>   =/		L
> ! /.rhosts	R	# may not exist
> ! /.profile	R	# may not exist
> ! /.cshrc		R	# may not exist
> ! /.login		R	# may not exist
> ! /.exrc		R	# may not exist
> ! /.logout	R	# may not exist
> ! /.forward	R	# may not exist
>   
>   # Unix itself
>   /kernel		R
> --- 72,84 ----
>   
>   #  First, root's "home"
>   =/		L
> ! /root/.rhosts	R	# may not exist
> ! /root/.profile	R	# may not exist
> ! /root/.cshrc	R	# may not exist
> ! /root/.login	R	# may not exist
> ! /root/.exrc	R	# may not exist
> ! /root/.logout	R	# may not exist
> ! /root/.forward	R	# may not exist
>   
>   # Unix itself
>   /kernel		R
> 
> 


-- 
... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847
