Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <op.w19wxvoqdyj81a@roy-xp.roytam.ath.cx>
Date: Fri, 23 Aug 2013 22:23:45 +0800
From: Roy <roytam@...il.com>
To: oss-security@...ts.openwall.com
Cc: dash@...r.kernel.org
Subject: Re: [PATCH] implement privmode support in dash

On Fri, 23 Aug 2013 19:40:31 +0800, "Jérémie Courrèges-Anglas"  
<jca+dash@...vbn.org> wrote:

>
> Also,
>
> Tavis Ormandy <taviso@...gle.com> writes:
>
> [...]
>
>>> Apart from that, it is better to check the return value from setuid()
>>> and similar functions. In particular, some versions of Linux may fail
>>> setuid() for [EAGAIN], leaving the process running with the same
>>> privileges.
>>
>> I don't think this is true anymore, but I have no strong objection to
>> adding it, so long as it's noted that bash and pdksh do not do this.
>
> Just for reference, from mksh:
>

[snip]

BTW it is just changed in cvs. Log message:

Commit ID:	10052176CB912FE954B
CVSROOT:	/cvs
Module name:	src
Changes by:	tg@...c.mirbsd.org	2013/08/23 14:07:41
UTC

Modified files:
	distrib/special/mksh: Makefile
	bin/mksh       : Build.sh Makefile check.t misc.c mksh.1 sh.h

Log message:
SECURITY: Unbreak “set +p”, broken by OpenBSD ksh change.

TODO: I am seriously considering following Chet and changing
the way this works, by explicitly dropping privs unless the
shell is run with -p. Every other shell does it like mksh,
except Heirloom sh, which on the other hand doesn’t know any
explicit set -p or set +p (though it doesn’t know set +foo
for any foo either).

┌──┤ QUESTION: Do we need the ability to do this:
│ tg@...u:~ $ ./suidmksh -p -c 'whoami; set +p; whoami'
│ root
│ tg

If not, I’m seriously considering to drop set ±p as well,
only parse -p on the command line, with +p being the default,
and dropping FPRIVILEGED.

Thanks to RT for noticing and jilles for initial follow-up
discussion, as well as Chet Ramey for doing the sane/secure
thing instead of following Debian.

To generate a diff of this changeset, execute the following commands:
cvs -R rdiff -kk -upr1.71 -r1.72 src/distrib/special/mksh/Makefile
cvs -R rdiff -kk -upr1.645 -r1.646 src/bin/mksh/Build.sh
cvs -R rdiff -kk -upr1.124 -r1.125 src/bin/mksh/Makefile
cvs -R rdiff -kk -upr1.630 -r1.631 src/bin/mksh/check.t
cvs -R rdiff -kk -upr1.214 -r1.215 src/bin/mksh/misc.c
cvs -R rdiff -kk -upr1.320 -r1.321 src/bin/mksh/mksh.1
cvs -R rdiff -kk -upr1.668 -r1.669 src/bin/mksh/sh.h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.