Re: SECURITY: Red Hat Linux 5.1 linuxconf bug

[jimd () STARSHINE ORG (Jim Dennis)]

On Thu, 28 May 1998, Michael K. Johnson wrote:

> > In Red Hat Linux 5.1, linuxconf version 1.11r11-rh2 was inadvertantly
> > setuid root.  This creates the potential for security holes that allow
> > attackers to gain root access to your machine.  (Users of Red Hat
> > Linux 5.0 and earlier are NOT affected, as linuxconf was not included
> > with any previous version of Red Hat Linux.)
> >
> > If you have installed Red Hat Linux 5.1, you can immediately remove
> > the danger by logging in as root and running the command:
> >
> >       chmod -s /bin/linuxconf
> >
> > We also recommend that you update to the latest version of linuxconf,
> > linuxconf-1.11r11-rh3, which fixes this bug.
> > Thanks to BUGTRAQ for finding and reporting this.

> the binary RPMs have always been shipped with suid linuxconf. Does this
> announce mean that linuxconf has been found insecure, so that is MUST not
> be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart
> from your posting.

        I don't know if linuxconf has any security wholes (and I'm
        not qualified to audit the sources).....

> The fact is, linuxconf's most valuable feature, to me, is the possibility
> to delegate user administration. If i drop SUID, i cannot do that anymore
> - right ? And i cannot use remote admin, too.

        .... however even it linuxconf has some insecurities, you
        could strip the "world" bits, chgrp it to something appropriate
        ("wheel"?) and leave it SUID/root.

        I think most SUID programs should default to being configured
        this way --- so that only members of the appropriately trusted
        group is allowed to attempt exploits using it.

        You could also further protect it by hiding it behind 'sudo'.

> So, if linuxconf is so insecure that one cannot dare having it suid, it
> almost becomes useless.

        I don't think so.  It still contains quite a bit of "knowlege"
        about the various configuration files --- helping the sysadmin
        create new DNS zone maps, and the like with a much easier
        interface than a text editor and a pile of man pages.

        If it can help sysadmin's by preventing stupid syntactically
        mistakes in the sorts of config files that we rarely edit
        it still may be quite valuable, even to experienced sysadmins
        --- and even to some degrees that relate to improving security.

        (Let me tell you about the stray space in a wuftpd ftpaccess
        file that had some kiddies creating stray "warez" directories
        some time.  Don't follow those commas with spaces!).

> Could you (Michael, Jacques) please clarify about Linuxconf security ?
> It is fundamental to know whether the security risks are only from local
> users, or also from external attacks.

        It would be nice to hear about specific, known security
        concerns.  It would be less comforting to hear that linuxconf
        is "not known to contain any buffer overflow or race condition
        bugs."  What would inspire a bit more confidence is a couple
        of independent reports from qualified auditors who specifically
        looked for them.

> Is there somebody doing security auditing on Linuxconf ?
>       Cheers, Sergio

        I would really like to see Red Hat, Caldera, S.u.S.E. and
        a few of the other commercial Linux distributors and vendors
        pitch in to a comprehensive security audit of the whole
        Linux source tree.  Currently the OpenBSD camp is severely
        whuppin' us in that area.

        I would vote to have LI (Linux International) create a
        special fund for it --- and solicit donations.  If they do
        --- I'll send money tomorrow.

--
Jim Dennis  (800) 938-4078              consulting () starshine org
Proprietor, Starshine Technical Services:  http://www.starshine.org