Re: ncurses 4.1 security bug

[perry () piermont com (Perry E. Metzger)]

Alan Cox writes:
> > Duncan Simpson writes:
> > > ncurses version 4.1 fails to drop priviledges before opening the
> > > termcap database and you can set any file(s) you like.
> >
> > This is not a bug. ncurses is a *library*, not a *program*. It is up
> > to suid programs to drop privileges, not every call that invokes them --
> > or are you going to declare the fact that fopen() doesn't drop
> > privileges a "bug"?
>
> Depends how you care to look at it. I can agree with your reasoning.
>
> In which case there is a bug in
>       screen   (as root so very bad)
>       dosemu
>       mutt
>       several bsd-games packages

There are indeed many such bugs.

SUID programs should drop privs almost immediately. The number of
possible places such issues can lurk is semi-infinite. You'll never
get all of them. You *can*, however, drop privs almost instantly.

> anywhere on the planet today. Also of course any setuid/setgid applications
> using NLS or TZ. The latter is far nastier because
>
> 1.    The libraries will use message catalogs and may open them before
>       you do

In NetBSD, the message catalogs we use don't work that way, so I
suppose I'm not familiar with this issue.

> 2.    If you are using C++ your constructors can't call libc in this case
>       as the order of constructors isnt defined

???

Why not just drop privs at the beginning as you are supposed to?

> 4.    Dropping TZ or NLS when setuid is really obnoxious - Japanese users
>       will love having mutt, screen, and things like su in English.

So don't drop them -- drop privs *first*.

Sigh.

Perry