Re: Dangerous permissions in unitedlinux

[Roman Drahtmueller <draht () suse de>]

-----BEGIN PGP SIGNED MESSAGE-----

Hello Knud,

While all of the four UnitedLinux partners Conectiva, SCO, TurboLinux and
SuSE have greatly contributed to what UnitedLinux is today, SuSE has the
role of the product integrator of UnitedLinux 1.0. I'm answering as head
of security at SuSE.

> Attached document explains all.
>
> Rant: People using a product called 'antigen' should be shot, stabbed, and

No comment on the rant...

[quotes strongly shortened]

> According to the vendor "UnitedLinux addresses enterprise customers'
> needs for a high quality, low cost, standards-based Linux environment
> that enables the widespread adoption of Linux."
> II. DESCRIPTION
> The folders below /usr/src/packages/ ships with the following permissions:
> drwxrwxrwt, which makes it writeable by all users.
> III. ANALYSIS
> This makes way for planting of rogue source, ultimately leading to a full
> system compromise.
> IV. DETECTION
> UnitedLinux 1.0 (i586) beta3 is found to be vulnerable.

Generally, it might be a bad idea to report security related problems in a
beta after the product has been released. But anyway: The final
UnitedLinux 1.0 products contain the same setup: All directories within
/usr/src/packages are world-writeable with the t-flag set (mode 1777).

The modes have been set like this intentionally to make it possible for a
non-root user to (re)build packages using the command
'rpm --rebuild package.spm'. By consequence, this is a tradeoff: Either
you don't provide the modes necessary for non-root package builds, or you
take the risk that somebody plants an egg in those directories.

> V. WORKAROUND
>
> Change the permissions on
> /usr/src/packages/* and below to something more suitable.

We have thought of an easier way than changing the modes manually:
vi /etc/sysconfig/security and change PERMISSION_SECURITY from
"easy local" to "secure local". Afterwards, either run SuSEconfig or
'chkstat -set /etc/permissions.secure'.

> VI. VENDOR FIX
>
> unknown

None.

> IX. CREDIT
> Knud Erik Højgaard/kokanin[a]dtors.net

Thanks,
Roman Drahtmüller,
SuSE Security.
- - --
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> // "You don't need eyes to see, |
  SuSE Linux AG - Security       Phone: //             you need vision!"
| Nürnberg, Germany     +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: SuSE Security

iQEVAwUBPpHcGXey5gA9JdPZAQG6wQgAk+vcXCYCeZuF0iH6sh0t+0QoDp0wYuJ6
VC5negBSgrrprlJ94hDP67MlZchN+euLfbaEB2+Ipp7x3g0j1ZDn1ZTlcQ6i6bIM
X6J/S+YiBmzBhr21bk2rjKNoQfA7/PXJAuYgHOUQvgN4yKzhVdZ24fuWLQgCDpYA
OxQjM1BB4rZmuqrKG5z+Kcb7d+bIrhPn35v5vfKaONwhiDRo0CmIAloV2uds7poy
KZb5ua7BFYSS9JwfeUlt9juOsK55vP/aZdO4JPfD0fAol4DWwNyaTmsnNZoQJAfQ
KwZEo124SIcEfBpd+3sb72tqPN6V1NegrLnwYtTmrw/IxQZuuN42sQ==
=gGrW
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html