Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SECURITY: Red Hat Linux 5.1 linuxconf bug
From: jimd () STARSHINE ORG (Jim Dennis)
Date: Mon, 1 Jun 1998 15:00:51 -0700


On Thu, 28 May 1998, Michael K. Johnson wrote:

In Red Hat Linux 5.1, linuxconf version 1.11r11-rh2 was inadvertantly
setuid root.  This creates the potential for security holes that allow
attackers to gain root access to your machine.  (Users of Red Hat
Linux 5.0 and earlier are NOT affected, as linuxconf was not included
with any previous version of Red Hat Linux.)

If you have installed Red Hat Linux 5.1, you can immediately remove
the danger by logging in as root and running the command:

      chmod -s /bin/linuxconf

We also recommend that you update to the latest version of linuxconf,
linuxconf-1.11r11-rh3, which fixes this bug.
Thanks to BUGTRAQ for finding and reporting this.

the binary RPMs have always been shipped with suid linuxconf. Does this
announce mean that linuxconf has been found insecure, so that is MUST not
be used suid ? I haven't seen anything about linuxconf on BUGTRAQ, apart
from your posting.

        I don't know if linuxconf has any security wholes (and I'm
        not qualified to audit the sources).....

The fact is, linuxconf's most valuable feature, to me, is the possibility
to delegate user administration. If i drop SUID, i cannot do that anymore
- right ? And i cannot use remote admin, too.

        .... however even it linuxconf has some insecurities, you
        could strip the "world" bits, chgrp it to something appropriate
        ("wheel"?) and leave it SUID/root.

        I think most SUID programs should default to being configured
        this way --- so that only members of the appropriately trusted
        group is allowed to attempt exploits using it.

        You could also further protect it by hiding it behind 'sudo'.

So, if linuxconf is so insecure that one cannot dare having it suid, it
almost becomes useless.

        I don't think so.  It still contains quite a bit of "knowlege"
        about the various configuration files --- helping the sysadmin
        create new DNS zone maps, and the like with a much easier
        interface than a text editor and a pile of man pages.

        If it can help sysadmin's by preventing stupid syntactically
        mistakes in the sorts of config files that we rarely edit
        it still may be quite valuable, even to experienced sysadmins
        --- and even to some degrees that relate to improving security.

        (Let me tell you about the stray space in a wuftpd ftpaccess
        file that had some kiddies creating stray "warez" directories
        some time.  Don't follow those commas with spaces!).

Could you (Michael, Jacques) please clarify about Linuxconf security ?
It is fundamental to know whether the security risks are only from local
users, or also from external attacks.

        It would be nice to hear about specific, known security
        concerns.  It would be less comforting to hear that linuxconf
        is "not known to contain any buffer overflow or race condition
        bugs."  What would inspire a bit more confidence is a couple
        of independent reports from qualified auditors who specifically
        looked for them.

Is there somebody doing security auditing on Linuxconf ?
      Cheers, Sergio

        I would really like to see Red Hat, Caldera, S.u.S.E. and
        a few of the other commercial Linux distributors and vendors
        pitch in to a comprehensive security audit of the whole
        Linux source tree.  Currently the OpenBSD camp is severely
        whuppin' us in that area.

        I would vote to have LI (Linux International) create a
        special fund for it --- and solicit donations.  If they do
        --- I'll send money tomorrow.

--
Jim Dennis  (800) 938-4078              consulting () starshine org
Proprietor, Starshine Technical Services:  http://www.starshine.org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault