Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]
Add an API for alerting internal libc routines to the presence of "unsafe" paths post-chroot, and use it in ftpd. [11:07] Fix a buffer overflow in telnetd. [11:08] Make pam_ssh ignore unpassphrased keys unless the "nullok" option is specified. [11:09] Add sanity checking of service names in pam_start. [11:10] Approved by: so (cperciva) Approved by: re (bz) Security: FreeBSD-SA-11:06.bind Security: FreeBSD-SA-11:07.chroot Security: FreeBSD-SA-11:08.telnetd Security: FreeBSD-SA-11:09.pam_ssh Security: FreeBSD-SA-11:10.pam
This commit is contained in:
parent
2cd8464e4e
commit
3e65b9c6e6
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=228843
@ -721,6 +721,9 @@ encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
|
|||||||
int dir = kp->dir;
|
int dir = kp->dir;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
|
if (len > MAXKEYLEN)
|
||||||
|
len = MAXKEYLEN;
|
||||||
|
|
||||||
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
|
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
|
||||||
if (len == 0)
|
if (len == 0)
|
||||||
return;
|
return;
|
||||||
|
@ -736,6 +736,9 @@ encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
|
|||||||
int dir = kp->dir;
|
int dir = kp->dir;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
|
if (len > MAXKEYLEN)
|
||||||
|
len = MAXKEYLEN;
|
||||||
|
|
||||||
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
|
if (!(ep = (*kp->getcrypt)(*kp->modep))) {
|
||||||
if (len == 0)
|
if (len == 0)
|
||||||
return;
|
return;
|
||||||
|
@ -511,6 +511,7 @@ int initgroups(const char *, gid_t);
|
|||||||
int iruserok(unsigned long, int, const char *, const char *);
|
int iruserok(unsigned long, int, const char *, const char *);
|
||||||
int iruserok_sa(const void *, int, int, const char *, const char *);
|
int iruserok_sa(const void *, int, int, const char *, const char *);
|
||||||
int issetugid(void);
|
int issetugid(void);
|
||||||
|
void __FreeBSD_libc_enter_restricted_mode(void);
|
||||||
long lpathconf(const char *, int);
|
long lpathconf(const char *, int);
|
||||||
#ifndef _MKDTEMP_DECLARED
|
#ifndef _MKDTEMP_DECLARED
|
||||||
char *mkdtemp(char *);
|
char *mkdtemp(char *);
|
||||||
|
@ -20,6 +20,7 @@ SRCS+= __getosreldate.c __xuname.c \
|
|||||||
getpeereid.c getprogname.c getpwent.c getttyent.c \
|
getpeereid.c getprogname.c getpwent.c getttyent.c \
|
||||||
getusershell.c getutxent.c getvfsbyname.c glob.c \
|
getusershell.c getutxent.c getvfsbyname.c glob.c \
|
||||||
initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \
|
initgroups.c isatty.c isinf.c isnan.c jrand48.c lcong48.c \
|
||||||
|
libc_dlopen.c \
|
||||||
lockf.c lrand48.c mrand48.c nftw.c nice.c \
|
lockf.c lrand48.c mrand48.c nftw.c nice.c \
|
||||||
nlist.c nrand48.c opendir.c \
|
nlist.c nrand48.c opendir.c \
|
||||||
pause.c pmadvise.c popen.c posix_spawn.c \
|
pause.c pmadvise.c popen.c posix_spawn.c \
|
||||||
|
@ -381,6 +381,10 @@ FBSD_1.2 {
|
|||||||
setutxent;
|
setutxent;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
FBSD_1.3 {
|
||||||
|
__FreeBSD_libc_enter_restricted_mode;
|
||||||
|
};
|
||||||
|
|
||||||
FBSDprivate_1.0 {
|
FBSDprivate_1.0 {
|
||||||
/* needed by thread libraries */
|
/* needed by thread libraries */
|
||||||
__thr_jtable;
|
__thr_jtable;
|
||||||
|
61
lib/libc/gen/libc_dlopen.c
Normal file
61
lib/libc/gen/libc_dlopen.c
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
/*-
|
||||||
|
* Copyright (c) 2011 Xin Li <delphij@FreeBSD.org>
|
||||||
|
* All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||||
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||||
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||||
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||||
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||||
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||||
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||||
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||||
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
|
* SUCH DAMAGE.
|
||||||
|
*
|
||||||
|
* $FreeBSD$
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <sys/cdefs.h>
|
||||||
|
__FBSDID("$FreeBSD$");
|
||||||
|
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include "libc_private.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Whether we want to restrict dlopen()s.
|
||||||
|
*/
|
||||||
|
static int __libc_restricted_mode = 0;
|
||||||
|
|
||||||
|
void *
|
||||||
|
libc_dlopen(const char *path, int mode)
|
||||||
|
{
|
||||||
|
|
||||||
|
if (__libc_restricted_mode) {
|
||||||
|
_rtld_error("Service unavailable -- libc in restricted mode");
|
||||||
|
return (NULL);
|
||||||
|
} else
|
||||||
|
return (dlopen(path, mode));
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
__FreeBSD_libc_enter_restricted_mode(void)
|
||||||
|
{
|
||||||
|
|
||||||
|
__libc_restricted_mode = 1;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
@ -109,6 +109,7 @@
|
|||||||
#include "citrus_namespace.h"
|
#include "citrus_namespace.h"
|
||||||
#include "citrus_bcs.h"
|
#include "citrus_bcs.h"
|
||||||
#include "citrus_module.h"
|
#include "citrus_module.h"
|
||||||
|
#include "libc_private.h"
|
||||||
|
|
||||||
static int _getdewey(int[], char *);
|
static int _getdewey(int[], char *);
|
||||||
static int _cmpndewey(int[], int, int[], int);
|
static int _cmpndewey(int[], int, int[], int);
|
||||||
@ -294,7 +295,7 @@ _citrus_load_module(_citrus_module_t *rhandle, const char *encname)
|
|||||||
p = _findshlib(path, &maj, &min);
|
p = _findshlib(path, &maj, &min);
|
||||||
if (!p)
|
if (!p)
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
handle = dlopen(p, RTLD_LAZY);
|
handle = libc_dlopen(p, RTLD_LAZY);
|
||||||
if (!handle) {
|
if (!handle) {
|
||||||
printf("%s", dlerror());
|
printf("%s", dlerror());
|
||||||
return (EINVAL);
|
return (EINVAL);
|
||||||
|
@ -43,6 +43,17 @@
|
|||||||
*/
|
*/
|
||||||
extern int __isthreaded;
|
extern int __isthreaded;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* libc should use libc_dlopen internally, which respects a global
|
||||||
|
* flag where loading of new shared objects can be restricted.
|
||||||
|
*/
|
||||||
|
void *libc_dlopen(const char *, int);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For dynamic linker.
|
||||||
|
*/
|
||||||
|
void _rtld_error(const char *fmt, ...);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* File lock contention is difficult to diagnose without knowing
|
* File lock contention is difficult to diagnose without knowing
|
||||||
* where locks were set. Allow a debug library to be built which
|
* where locks were set. Allow a debug library to be built which
|
||||||
|
@ -384,7 +384,7 @@ nss_configure(void)
|
|||||||
confmod = statbuf.st_mtime;
|
confmod = statbuf.st_mtime;
|
||||||
|
|
||||||
#ifdef NS_CACHING
|
#ifdef NS_CACHING
|
||||||
handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
|
handle = libc_dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
|
||||||
if (handle != NULL) {
|
if (handle != NULL) {
|
||||||
nss_cache_cycle_prevention_func = dlsym(handle,
|
nss_cache_cycle_prevention_func = dlsym(handle,
|
||||||
"_nss_cache_cycle_prevention_function");
|
"_nss_cache_cycle_prevention_function");
|
||||||
@ -497,7 +497,7 @@ nss_load_module(const char *source, nss_module_register_fn reg_fn)
|
|||||||
if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name,
|
if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name,
|
||||||
NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf))
|
NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf))
|
||||||
goto fin;
|
goto fin;
|
||||||
mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
|
mod.handle = libc_dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
|
||||||
if (mod.handle == NULL) {
|
if (mod.handle == NULL) {
|
||||||
#ifdef _NSS_DEBUG
|
#ifdef _NSS_DEBUG
|
||||||
/* This gets pretty annoying since the built-in
|
/* This gets pretty annoying since the built-in
|
||||||
|
@ -1562,6 +1562,7 @@ pass(char *passwd)
|
|||||||
reply(550, "Can't change root.");
|
reply(550, "Can't change root.");
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
__FreeBSD_libc_enter_restricted_mode();
|
||||||
} else /* real user w/o chroot */
|
} else /* real user w/o chroot */
|
||||||
homedir = pw->pw_dir;
|
homedir = pw->pw_dir;
|
||||||
/*
|
/*
|
||||||
|
@ -143,6 +143,9 @@ ftpd_popen(char *program, char *type)
|
|||||||
}
|
}
|
||||||
(void)close(pdes[1]);
|
(void)close(pdes[1]);
|
||||||
}
|
}
|
||||||
|
/* Drop privileges before proceeding */
|
||||||
|
if (getuid() != geteuid() && setuid(geteuid()) < 0)
|
||||||
|
_exit(1);
|
||||||
if (strcmp(gargv[0], _PATH_LS) == 0) {
|
if (strcmp(gargv[0], _PATH_LS) == 0) {
|
||||||
/* Reset getopt for ls_main() */
|
/* Reset getopt for ls_main() */
|
||||||
optreset = optind = optopt = 1;
|
optreset = optind = optopt = 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user