From owner-doc-jp@jp.freebsd.org  Fri Sep 10 11:05:37 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id LAA93878;
	Fri, 10 Sep 1999 11:05:37 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from slowhand.icu.ac.jp (root@slowhand.icu.ac.jp [192.218.241.2])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id LAA93873
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 11:05:36 +0900 (JST)
	(envelope-from ts@icu.ac.jp)
Received: from max.icu.ac.jp (max.icu.ac.jp [192.218.242.16])
	by slowhand.icu.ac.jp (8.8.5/3.6WTK 09/18/98) with ESMTP id LAA02565
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 11:05:34 +0900 (JST)
Received: (from ts@localhost)
	by max.icu.ac.jp (8.8.5/3.7W09/22/98) id LAA20176;
	Fri, 10 Sep 1999 11:05:20 +0900 (JST)
Date: Fri, 10 Sep 1999 11:05:20 +0900 (JST)
From: TOMITA Shigenari <ts@icu.ac.jp>
Message-Id: <199909100205.LAA20176@max.icu.ac.jp>
To: doc-jp@jp.freebsd.org
CC: ts@icu.ac.jp
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6625
Subject: [doc-jp 6625] FreeBSD-SA99:01
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: ts@icu.ac.jp

Doc-jp $B$N$_$J$5$^(B

$BCY$/$J$j$^$7$?$,!"K]Lu$7$?$b$N$r$*Aw$j$7$^$9!#::FI$r$h$m$7$/$*4j$$$$$?(B
$B$7$^$9!#%U%)!<%^%C%H$O(B 99:03 ftpd $B$r;29M$K$$$?$7$^$7$?!#(B

$BIT0B$J$H$3$m$O!V2r@b!W$H!V1F6A!W$G$9!'(B

   - $B!V%W%m%0%i%`(B login$B!W$H$$$&$N$OJ8F,$J$N$G!V(BLogin$B!W$H$9$k$@$1$GNI$+$C(B
     $B$?$G$7$g$&$+!)(B

   - $B86J8!V(Bnormal chown$B!W$,$h$/$o$+$j$^$;$s$G$7$?!#(B

   - $B86J8!V(Bany login$B!W$,$h$/$o$+$j$^$;$s$G$7$?!#(B

   - man in the middle $B967b$H$$$&$N$b(B $B!D(B

$B%A%'%C%/$h$m$7$/$*4j$$$$$?$7$^$9!#(B

$B$J$*!"(Bheader $B>pJs$r??;w$F$_$^$7$?$,!"$o$?$7$KFO$$$?$d$D$O(B Date: $B$H(B 
Recieve: $B$N;~9o$,0c$C$F$?$j$7$F$?$N$G!"$A$g$C$H4V0c$C$F$$$k$+$b$7$l$^(B
$B$;$s!#(B

$B0J>e!"$h$m$7$/$*4j$$$$$?$7$^$9!#(B

                                             $BIZED(B $B=E@.(B ts@icu.ac.jp

                               $B"!(B $B"!(B $B"!(B

  $B$3$N%a!<%k$O(B announce-jp $B$XN.$l$?!#(B

Subject: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques
From: security-officer@freebsd.org
Date: Fri, 03 Sep 1999 23:29:36 -0600
Message-Id: <199909040529.XAA63474@harmony.village.org>

$B$rF|K\8lLu$7$?$b$N$G$9(B.
  $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r9T(B
$B$J$&$K$O86J8$r;2>H$7$F$/$@$5$$(B.
  $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G(B
$B$*4j$$$7$^$9(B.

                         $BK]Lu(B : $BIZED(B $B=E@.(B <ts@icu.ac.jp>
                                
=============================================================================
FreeBSD-SA-99:01                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:             BSD $B%U%!%$%k%U%i%0$H%W%m%0%i%_%s%0%F%/%K%C%/(B

$B%+%F%4%j!<(B:           core
$B%b%8%e!<%k(B:           kernel
$B9pCNF|(B:               1999$BG/(B 9$B7n(B 4$BF|(B
$B1F6ABP>](B:             FreeBSD 3.2 ($B$*$h$S(B 3.2 $B0JA0$N%P!<%8%g%s(B)
                      FreeBSD-current ($B2<5-=$@5F|0JA0$N%P!<%8%g%s(B) 
$B=$@5:Q(B:               FreeBSD 3.3-RELEASE ($BLuCm(B: $BM=Dj(B)
                      1999$BG/(B 8$B7n(B 2$BF|0J9_$N(B FreeBSD-current
                      1999$BG/(B 8$B7n(B 2$BF|0J9_$N(B FreeBSD-3.2-stable
                      1999$BG/(B 8$B7n(B 4$BF|0J9_$N(B FreeBSD-2.2.8-stable
FreeBSD $B$@$1$NLdBj$+(B: $BH](B

$B%Q%C%A(B:               ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:01/

I.   $BGX7J(B

BSD4.4 $B$N%U%!%$%k%7%9%F%`$G$O(B, $B%U%!%$%k$K4X$9$kB?<o$N%U%i%0$,DI2C$5$l(B
$B$^$7$?(B. $B$3$l$i$N%U%i%0$K$h$j(B, $B%U%!%$%k$KBP$9$k$5$^$6$^$JA`:n$r@)8f$G$-(B
$B$^$9(B. $BNr;KE*$K(B, root $B$G$"$l$P$"$i$f$k%U%!%$%kA`:n$r(B($BL5@)8B$K(B)$B9T$($k$?(B
$B$a(B, root $B$H$7$F<B9T$5$l$k%W%m%0%i%`$NB?$/$G$O(B, $B%U%!%$%kA`:n$,@.8y$7$?(B
$B$+$I$&$+$N3NG'$rBU$C$F$$$^$9(B.

II.  $B2r@b(B

$B%f!<%6$O(B, $B<+J,$,%m%0%$%s$7$F$$$k%G%P%$%9$N%U%i%0$d%b!<%I$r@_Dj$G$-$^$9(B. 
$B%W%m%0%i%`(B login $B$dB>$NF1N`$N$b$N$K@x$`%P%0$,860x$G(B, $BDL>o$N(B chown $B$r<:(B
$BGT$5$;$k$3$H$,$G$-$k$?$a(B, $B:G=i$N%f!<%6$,$$$+$J$k%m%0%$%s$K$h$k%?!<%_%J(B
$B%k$b=jM-$G$-$^$9(B.

III. $B1F6A(B

$B%m!<%+%k$N%f!<%6$G$"$l$P(B, $BB>$N%f!<%6(B(root $B$r4^$`(B)$B$,%m%0%$%s$7$?;~E@$G(B 
man in the middle $B967b$r;E3]$1$k$3$H$,$G$-$^$9(B. $B$3$l$K$h$j(B, $BHo32<T$,=P(B
$BNO$9$k$9$Y$F$N%F%-%9%H$rGA$$$?$j2~cb$7$?$j$9$k$3$H$,$G$-$^$9(B. $B7k6I(B, $BHo(B
$B32<T$K$J$j$9$^$5$l$F%3%^%s%I$,<B9T$5$l$?$j(B, $B%Q%9%o!<%I(B($B$5$i$K(B, $BB>$N%[(B
$B%9%H$H$N%3%M%/%7%g%s>e$K=PNO$5$l$k%Q%9%o!<%I$r4^$`$"$i$f$k%F%-%9%H(B)$B$r(B
$BEp$^$l$F$7$^$$$^$9(B.

IV.  $BBP1~:v(B

$BL5$7(B

V.   $B2r7h:v(B

    FreeBSD-current $B$N>l9g(B:

        Index: kern/vfs_syscalls.c
        ===================================================================
        RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v
        retrieving revision 1.125
        retrieving revision 1.128
        diff -u -r1.125 -r1.128
        --- vfs_syscalls.c	1999/07/29 17:02:56	1.125
        +++ vfs_syscalls.c	1999/08/04 04:52:18	1.128
        @@ -1892,13 +1892,23 @@
                int error;
                struct vattr vattr;

        +	/*
        +	 * Prevent non-root users from setting flags on devices.  When
        +	 * a device is reused, users can retain ownership of the device
        +	 * if they are allowed to set flags and programs assume that
        +	 * chown can't fail when done as root.
        +	 */
        +	if ((vp->v_type == VCHR || vp->v_type == VBLK) && 
        +	    ((error = suser_xxx(p->p_ucred, p, PRISON_ROOT)) != 0))
        +		return (error);
        +
                VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE);
                vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
                VATTR_NULL(&vattr);
                vattr.va_flags = flags;
                error = VOP_SETATTR(vp, &vattr, p->p_ucred, p);
                VOP_UNLOCK(vp, 0, p);
        -	return error;
        +	return (error);
         }

         /*

    FreeBSD-3.2-stable $B$N>l9g(B:

        Index: kern/vfs_syscalls.c
        ===================================================================
        RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v
        retrieving revision 1.112.2.3
        retrieving revision 1.112.2.5
        diff -u -r1.112.2.3 -r1.112.2.5
        --- vfs_syscalls.c	1999/07/30 01:07:23	1.112.2.3
        +++ vfs_syscalls.c	1999/08/11 21:39:50	1.112.2.5
        @@ -1839,13 +1839,23 @@
                int error;
                struct vattr vattr;

        +  	/*
        +	 * Prevent non-root users from setting flags on devices.  When
        +	 * a device is reused, users can retain ownership of the device
        +	 * if they are allowed to set flags and programs assume that
        +	 * chown can't fail when done as root.
        +	 */
        +	if ((vp->v_type == VCHR || vp->v_type == VBLK) && 
        +	    ((error = suser(p->p_ucred, &p->p_acflag)) != 0))
        +		return (error);
        +
                VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE);
                vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
                VATTR_NULL(&vattr);
                vattr.va_flags = flags;
                error = VOP_SETATTR(vp, &vattr, p->p_ucred, p);
                VOP_UNLOCK(vp, 0, p);
        -	return error;
        +	return (error);
         }

         /*

    FreeBSD 2.2.8-stable $B$N>l9g(B:

        Index: kern/vfs_syscalls.c
        ===================================================================
        RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v
        retrieving revision 1.51.2.7
        retrieving revision 1.51.2.8
        diff -u -r1.51.2.7 -r1.51.2.8
        --- vfs_syscalls.c	1998/07/03 03:50:31	1.51.2.7
        +++ vfs_syscalls.c	1999/08/04 18:58:56	1.51.2.8
        @@ -1439,6 +1439,17 @@
                if (error)
                        return (error);
                vp = nd.ni_vp;
        +	if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)))
        +		return (error);
        +	/*
        +	 * Prevent non-root users from setting flags on devices.  When
        +	 * a device is reused, users can retain ownership of the device
        +	 * if they are allowed to set flags and programs assume that
        +	 * chown can't fail when done as root.
        +	 */
        +	if ((vp->v_type == VCHR || vp->v_type == VBLK) &&
        +	    ((error = suser(p->p_ucred, &p->p_acflag)) != 0))
        +		return (error);
                LEASE_CHECK(vp, p, p->p_ucred, LEASE_WRITE);
                VOP_LOCK(vp);
                VATTR_NULL(&vattr);

VI.  $B<U<-(B

Theo de Raadt $B;a$+$i>e5-$N%U%!%$%"%&%)!<%kE*$J2r7h:v$rDs0F$$$?$@$-$^$7$?(B.

lumpy@blue.9mm.com $B;a$K$h$C$F$3$NLdBj$,L@$k$_$K=P$^$7$?(B.

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

$BCm0U(B: $BK\J8=qCf$K%Q%C%A$,4^$^$l$F$$$k>l9g(B, $BEE;R=pL>$d%a%$%i$N=hM}$GJQ99(B
      $B$5$l$k$?$a(B, $B$=$N$^$^$G$O$-$A$s$HE,MQ$G$-$J$$$+$b$7$l$^$;$s(B. $BI,MW(B
      $B$G$"$l$P(B, $BK\J8=q$NKAF,$K5-:\$7$F$"$k(B URL $B$r;2>H$7$F%*%j%8%J%k$N(B
      $B%3%T!<$rF~<j$7$F$/$@$5$$(B.
=============================================================================







