From owner-doc-jp@jp.freebsd.org  Sat Sep 18 06:32:06 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id GAA07463;
	Sat, 18 Sep 1999 06:32:06 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id GAA07458
	for <doc-jp@jp.freebsd.org>; Sat, 18 Sep 1999 06:32:06 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id GAA21725 for <doc-jp@jp.freebsd.org>; Sat, 18 Sep 1999 06:32:05 +0900 (JST)
Received: from mail.hrs.jp (sutnmax1-ppp19.ed.noda.sut.ac.jp [133.31.173.29]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id GAA08151 for <doc-jp@jp.freebsd.org>; Sat, 18 Sep 1999 06:32:04 +0900 (JST)
Message-Id: <199909172132.GAA08151@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id FAA80172
	for <doc-jp@jp.freebsd.org>; Sat, 18 Sep 1999 05:47:38 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <14306.24698.450000.52913L@R2D2>
References: <199909170252.LAA01052@kid.micon.co.jp>
	<14306.24698.450000.52913L@R2D2>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sat, 18 Sep 1999 05:45:56 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 59
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6682
Subject: [doc-jp 6682] Re: FreeBSD-SA-99:04.core
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 # $B$[$H$s$I<qL#$G$9!#(B

>The fts library functions had a flaw in them where which would lead to
>a core dump when periodic ran the security checking scripts (or other
>scripts which traverse trees that can be controlled by users).
>periodic(3) should limit core size to zero to disable core dumps while
>it is executing commands, but does not do so.  In addition, the kernel
>should not follow symbolic links.
>
>fts $B%i%$%V%i%j4X?tFb$NLdBj$K$h$j(B, periodic $B%;%-%e%j%F%#%A%'%C%/$N%9%/(B
>$B%j%W%H(B($B%f!<%6$,@)8f2DG=$J(B, $B$=$3$+$i8F$P$l$k$b$N$r4^$a$F(B)$B$G(B, $B%3%"%@%s%W(B
>$B$9$k$3$H$,$G$-$^$9(B.  
>periodic(3) $B$O(B $B%3%^%s%I$r<B9T$9$k:]$K%3%"%@%s%W$7$J$$$h$&%3%"$N%5%$%:(B
>$B$r(B 0 $B$K@)8B$9$Y$-$G$9$,(B, $B$=$&$J$C$F$$$^$;$s(B. $B2C$($F(B, $B%+!<%M%k$O(B
>$B%7%s%\%j%C%/%j%s%/$r$?$I$k$Y$-$G$O$J$$$N$G$9(B.

$B!V(B fts $B%i%$%V%i%j4X?t$K$O(B, periodic(3) $B$,%;%-%e%j%F%#%A%'%C%/MQ$N(B
  $B%9%/%j%W%H(B($B$*$h$S(B, $B%f!<%6$K$h$C$F;XDj$5$l$?%G%#%l%/%H%j%D%j!<$r(B
  $BAv::$9$k$h$&$JB>$N%9%/%j%W%H(B)$B$r<B9T$7$F$$$k;~$K(B
  $B%3%"%@%s%W$r@8$8$k2DG=@-$r;}$C$F$$$k$H$$$&IT6q9g$,$"$j$^$9(B.
  periodic(3) $B$,%3%^%s%I$r<B9T$7$F$b%3%"%@%s%W$rH/@8$5$;$J$$$h$&(B,
  $B%3%"%5%$%:$r(B 0 $B$K@)8B$9$Y$-$G$9(B. $B$^$?(B,
  $B%+!<%M%k$O%7%s%\%j%C%/%j%s%/$r$?$I$k$Y$-$G$O$"$j$^$;$s(B.$B!W(B

>All three of these problems caused a situation where it was possible
>for an attacker could create or overwrite an arbitrary file on the
>system with a moderate degree of controll of its contents to cause a
>problem.
>
>$B0J>e#3$D$rAH$_9g$o$;$k$H(B, $B967b<T$O(B, $BLdBj$rKI$0$?$a$KJ]8n$5$l$F$$$k$b$N(B
>$B$b4^$a$F(B, $B%7%9%F%`Fb$NG$0U$N%U%!%$%k$r:n$C$?$j(B, $B>e=q$-$7$?$j$9$k$3$H$,(B
>$B2DG=$G$9(B. 

$B!V0J>e$N(B 3 $B$D$NLdBjE@$O967b<T$KBP$7(B, $BLdBj$H$J$k$h$&$JFbMF$r4^$`(B
  $BG$0U$N%U%!%$%k$r%7%9%F%`>e$K:n@.$7$?$j(B, $B$b$7$/$O4{B8$N%U%!%$%k$r(B
  $B>e=q$-$9$k$3$H$r2DG=$K$9$k>u67$r$D$/$j$^$9(B.$B!W(B

> One can workaround this problem by preventing core dumps for periodic.
> This solution is less than completely satisfying, since it only plugs
> the known exploit hole.  None the less, this may provide a short term
> stopgap solution until a new kernel and/or userland can be installed.
> 
> periodic $B%9%/%j%W%H(B $B$,(B $B%3%"%@%s%W$7$J$$$h$&BP:v$9$k$3$H$,$G$-$^$9(B.
> $B$3$NBP:v$O(B, $BL@$i$+$K$J$C$F$$$k7j$r:I$0$K$9$.$J$$$H$$$&0UL#$G(B, $B==J,(B
> $B$H$O8@$($^$;$s(B. $B$=$l$G$b?7$7$$%+!<%M%k$H(B/$B$^$?$O(B(and/or)$B%f!<%6!<%i%s%I(B
> $B$r%$%s%9%H!<%k$9$k$^$G$NC;4|4V$N7jKd$a$K$O$J$j$^$9(B.

$B!V$3$NLdBj$r2r7h$9$k$?$a$N0l$D$NJ}K!$O(B, periodic(3) $B$N%3%"%@%s%W$r(B
  $BM^@)$9$k$3$H$G$9(B. $B$3$l$OLdBj$H$J$C$F$$$k4{CN$N%;%-%e%j%F%#%[!<%k$r(B
  $BC1$K1#$9$@$1$J$N$G(B, $B40A4$KK~B-$N$$$/$b$N$G$O$"$j$^$;$s$,(B,
  $B?7$7$$%P!<%8%g%s$N%+!<%M%k$d%f!<%6%i%s%I$r%$%s%9%H!<%k$G$-$k$h$&$K$J$k$^$G(B
  $B5^>l$7$N$.$NBP:v$K$O$J$k$G$7$g$&(B.$B!W(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|                         mailto:j7397067@ed.noda.sut.ac.jp
|
