From owner-doc-jp@jp.freebsd.org  Fri Sep 10 13:29:21 1999
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id NAA05485;
	Fri, 10 Sep 1999 13:29:21 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from slowhand.icu.ac.jp (root@slowhand.icu.ac.jp [192.218.241.2])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id NAA05480
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 13:29:20 +0900 (JST)
	(envelope-from ts@icu.ac.jp)
Received: from max.icu.ac.jp (max.icu.ac.jp [192.218.242.16])
	by slowhand.icu.ac.jp (8.8.5/3.6WTK 09/18/98) with ESMTP id NAA05562
	for <doc-jp@jp.freebsd.org>; Fri, 10 Sep 1999 13:29:18 +0900 (JST)
Received: (from ts@localhost)
	by max.icu.ac.jp (8.8.5/3.7W09/22/98) id NAA23103;
	Fri, 10 Sep 1999 13:29:04 +0900 (JST)
Date: Fri, 10 Sep 1999 13:29:04 +0900 (JST)
From: TOMITA Shigenari <ts@icu.ac.jp>
Message-Id: <199909100429.NAA23103@max.icu.ac.jp>
To: doc-jp@jp.freebsd.org
CC: ts@icu.ac.jp
In-reply-to: <199909100244.LAA02798@splpe481.ccs.mt.nec.co.jp> (message from Koga Youichirou on Fri, 10 Sep 1999 11:44:32 +0900 (JST))
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: doc-jp 6631
Subject: [doc-jp 6631] Re: FreeBSD-SA99:01
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: ts@icu.ac.jp

SA99:01 $B$r$d$C$F$kIZED$G$9!#(B

02 $B$d(B 03 $B$K$/$i$Y$FCY$l$F$7$^$C$F$9$_$^$;$s(B $B!D(B

$B$3$,$5$s!"$*K;$7$$$J$+!"%A%'%C%/$"$j$,$H$&$4$6$$$^$7$?!#(B

   Date: Fri, 10 Sep 1999 11:44:32 +0900 (JST)
   From: Koga Youichirou <y-koga@jp.freebsd.org>

   $B%Q%A%Q%A%Q%A!y(B

$B62=L$G$9(B $B!D(B :)

   > $BIT0B$J$H$3$m$O!V2r@b!W$H!V1F6A!W$G$9!'(B
   > 
   >    - $B!V%W%m%0%i%`(B login$B!W$H$$$&$N$OJ8F,$J$N$G!V(BLogin$B!W$H$9$k$@$1$GNI$+$C(B
   >      $B$?$G$7$g$&$+!)(B

   $B%W%m%0%i%`(B login $B$h$j$O!"(Blogin $B%3%^%s%I(B $B$NJ}$,$7$C$/$j$/$k$+$J!#(B

$B$=$&$G$9$M(B $B!D(B $B$H$$$&$3$H$G!V(BLogin $B%3%^%s%I!W$H$7$F$_$^$7$?!#(B

   >    - $B86J8!V(Bany login$B!W$,$h$/$o$+$j$^$;$s$G$7$?!#(B

   $B!V$=$N8e%m%0%$%s$7$F$-$?%f!<%6$NC<Kv!W$HJdB-$7$F$*$/$H$$$$$N$+$b!#(B

$B$O$$!#(B

   > I.   $BGX7J(B
   > 
   > BSD4.4 $B$N%U%!%$%k%7%9%F%`$G$O(B, $B%U%!%$%k$K4X$9$kB?<o$N%U%i%0$,DI2C$5$l(B

   $B86J8$,$3$&$J$N$@$,!"(B4.4BSD $B$+$J!)(B

Topic $B<+BN$,(B BSD $B$G;O$^$C$F$k$+$i$+$b$7$l$^$;$s$,!"$I$&$7$^$7$g$&$+(B $B!D(B 
$B$H$j$"$($:86J8$N%^%^$K$7$A$c$C$F$"$j$^$9!#(B

   > II.  $B2r@b(B
   > 
   > $B%f!<%6$O(B, $B<+J,$,%m%0%$%s$7$F$$$k%G%P%$%9$N%U%i%0$d%b!<%I$r@_Dj$G$-$^$9(B. 
   > $B%W%m%0%i%`(B login $B$dB>$NF1N`$N$b$N$K@x$`%P%0$,860x$G(B, $BDL>o$N(B chown $B$r<:(B

   $BF1N`$h$j$OF1<o$@$m$&$1$I!"D>Lu!V;w$?%W%m%0%i%`!W$G$$$$$h$&$J5$$,$7$^$9!#(B

$B$O$$!#(B

   > $BGT$5$;$k$3$H$,$G$-$k$?$a(B, $B:G=i$N%f!<%6$,$$$+$J$k%m%0%$%s$K$h$k%?!<%_%J(B
   > $B%k$b=jM-$G$-$^$9(B.
   > 
   > III. $B1F6A(B
   > 

   write $B$r=PNO$HLu$7$F$$$k$N$,$A$g$C$H5$$K$J$j$^$9$,!"Bg6Z$O9g$C$F$$$^$9!#(B
   $B=q$-9~$_$H$+F~NO$8$c$J$$$+$J!)(B

$B$J$k$[$I(B $B!D(B

   s/$B%3%^%s%I$,(B/$B$=$NHo32<T%f!<%6$N8"8B$G%3%^%s%I$r(B/
   s/$B%Q%9%o!<%I(B/$B%f!<%6$N%Q%9%o!<%I(B/g
   s/$B%3%M%/%7%g%s>e$K=PNO$5$l$k(B/$B%3%M%/%7%g%s$GF~NO$5$l$k(B/

$B$O$$!"H?1G$5$;$F$$$?$@$-$^$7$?!#(B

   > VI.  $B<U<-(B
   > 
   > lumpy@blue.9mm.com $B;a$K$h$C$F$3$NLdBj$,L@$k$_$K=P$^$7$?(B.

   $B%a!<%k%"%I%l%9$K!V;a!W$r$D$1$k$N$O$A$g$C$HJQ$+$b!#(B

$B$=$&$J$s$G$9$h$M$'(B $B!A(B $B!V%k%s%T%#;a!W$H$+!VF?L>4uK>$5$s!W$G$7$g$&$+(B $B!D(B
$BJQ$J$s$G$9$1$I!"$H$j$"$($:$=$N%^%^$K$7$A$c$$$^$7$?!#(B

   ----
   $B$3$,$h$&$$$A$m$&(B

$B$H$$$&$3$H$G!"$b$&0lEY(B $B$I$&$b$"$j$,$H$&$4$6$$$^$7$?!#(B :)

$B=$@5HG$r(B append $B$7$^$9!#(B

$BM>7W$J%3%a%s%H$G$9$,!"F|K\$N%f!<%6$K$9$l$P!"$d$C$Q$j(B jp.freebsd.org $B$N(B
security-officer $B$5$sC#$+$i4+9p$5$l$A$c$C$?$[$&$,NI$$$H;W$$$^$9!#$=$&(B
$B$9$l$P!"(BPGP $B=pL>$NLdBj$P$+$j$G$J$/!"2r@b$d1F6A$J$I$r$b$C$H<+A3$K=R$Y$k(B
$B$3$H$,$G$-$=$&!J$o$1$N$o$+$i$J$$86J8$N;~$N$D$i$5$+$i$b2rJ|$5$l$k!K$G$9(B
$B$7(B $B!D(B $B$=$&$J$k$H!"(Badvisory $B$NLu=P:n6H$O(B jp $B%I%a%$%s$N(B security-officer 
$B$N$_$J$5$s$N2<=q$-20$5$s$K$J$j$^$9$,!J$=$N$[$&$,5$$,3Z$K$J$k$+$b(B :-$B!K!#(B
$B4A;z$+$J:.$8$j$GJs9p$G$-$k$N$b1Q8l7y$$$N(B hacker $B$5$sC#$K$O$d$5$7$$$+$b(B
$B$7$l$^$;$s!#(B :)

$B4WOC5YBj!#$G$O!"(BSA99:01 $B$N$[$&(B $B$h$m$7$/$*4j$$$$$?$7$^$9!#(B

                           $B"!(B $B"!(B $B"!(B

  $B$3$N%a%C%;!<%8$O(B announce-jp $B$KN.$l$?(B

Subject: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques
From: security-officer@freebsd.org
Date: Fri, 03 Sep 1999 23:29:36 -0600
Message-Id: <199909040529.XAA63474@harmony.village.org>

$B$rF|K\8lLu$7$?$b$N$G$9(B.
  $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
$B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r9T(B
$B$J$&$K$O86J8$r;2>H$7$F$/$@$5$$(B.
  $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.freebsd.org $B$^$G(B
$B$*4j$$$7$^$9(B.

                            $BK]Lu(B :  $B$3$,$h$&$$$A$m$&(B <y-koga@jp.freebsd.org>
                                    $BIZED(B $B=E@.(B <ts@icu.ac.jp>
=============================================================================
FreeBSD-SA-99:01                                            Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:             BSD $B%U%!%$%k%U%i%0$H%W%m%0%i%_%s%0%F%/%K%C%/(B

$B%+%F%4%j!<(B:           core
$B%b%8%e!<%k(B:           kernel
$B9pCNF|(B:               1999$BG/(B 9$B7n(B 4$BF|(B
$B1F6ABP>](B:             FreeBSD 3.2 ($B$*$h$S(B 3.2 $B0JA0$N%P!<%8%g%s(B)
                      FreeBSD-current ($B2<5-=$@5F|0JA0$N%P!<%8%g%s(B) 
$B=$@5:Q(B:               FreeBSD 3.3-RELEASE ($BLuCm(B: $BM=Dj(B)
                      1999$BG/(B 8$B7n(B 2$BF|0J9_$N(B FreeBSD-current
                      1999$BG/(B 8$B7n(B 2$BF|0J9_$N(B FreeBSD-3.2-stable
                      1999$BG/(B 8$B7n(B 4$BF|0J9_$N(B FreeBSD-2.2.8-stable
FreeBSD $B$@$1$NLdBj$+(B: $BH](B

$B%Q%C%A(B:               ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-99:01/

I.   $BGX7J(B

BSD4.4 $B$N%U%!%$%k%7%9%F%`$G$O(B, $B%U%!%$%k$K4X$9$kB?<o$N%U%i%0$,DI2C$5$l(B
$B$^$7$?(B. $B$3$l$i$N%U%i%0$K$h$j(B, $B%U%!%$%k$KBP$9$k$5$^$6$^$JA`:n$r@)8f$G$-(B
$B$^$9(B. $BNr;KE*$K(B, root $B$G$"$l$P$"$i$f$k%U%!%$%kA`:n$r(B($BL5@)8B$K(B)$B9T$($k$?(B
$B$a(B, root $B$H$7$F<B9T$5$l$k%W%m%0%i%`$NB?$/$G$O(B, $B%U%!%$%kA`:n$,@.8y$7$?(B
$B$+$I$&$+$N3NG'$rBU$C$F$$$^$9(B.

II.  $B2r@b(B

$B%f!<%6$O(B, $B<+J,$,%m%0%$%s$7$F$$$k%G%P%$%9$N%U%i%0$d%b!<%I$r@_Dj$G$-$^$9(B. 
Login $B%3%^%s%I$dB>$N;w$?%W%m%0%i%`$K@x$`%P%0$,860x$G(B, $BDL>o$N(B chown $B$r(B
$B<:GT$5$;$k$3$H$,$G$-$k$?$a(B, $B:G=i$N%f!<%6$,(B, $B$=$N8e$K%m%0%$%s$7$F$-$?%f!<(B
$B%6$NC<Kv$b=jM-$G$-$^$9(B.

III. $B1F6A(B

$B%m!<%+%k$N%f!<%6$G$"$l$P(B, $BB>$N%f!<%6(B(root $B$r4^$`(B)$B$,%m%0%$%s$7$?;~E@$G(B 
man in the middle $B967b$r;E3]$1$k$3$H$,$G$-$^$9(B. $B$3$l$K$h$j(B, $BHo32<T$,=P(B
$BNO$9$k$9$Y$F$N%F%-%9%H$rGA$$$?$j2~cb$7$?$j$9$k$3$H$,$G$-$^$9(B. $B7k6I(B, $BHo(B
$B32<T$K$J$j$9$^$5$l(B, $B$=$NHo32<T%f!<%6$N8"8B$G%3%^%s%I$r<B9T$5$l$?$j(B, $B%f!<(B
$B%6$N%Q%9%o!<%I(B($B$5$i$K(B, $BB>$N%[%9%H$H$N%3%M%/%7%g%s$GF~NO$5$l$k%Q%9%o!<(B
$B%I$r4^$`$"$i$f$k%F%-%9%H(B)$B$rEp$^$l$F$7$^$$$^$9(B.

IV.  $BBP1~:v(B

$BL5$7(B

V.   $B2r7h:v(B

    FreeBSD-current $B$N>l9g(B:

        Index: kern/vfs_syscalls.c
        ===================================================================
        RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v
        retrieving revision 1.125
        retrieving revision 1.128
        diff -u -r1.125 -r1.128
        --- vfs_syscalls.c	1999/07/29 17:02:56	1.125
        +++ vfs_syscalls.c	1999/08/04 04:52:18	1.128
        @@ -1892,13 +1892,23 @@
                int error;
                struct vattr vattr;

        +	/*
        +	 * Prevent non-root users from setting flags on devices.  When
        +	 * a device is reused, users can retain ownership of the device
        +	 * if they are allowed to set flags and programs assume that
        +	 * chown can't fail when done as root.
        +	 */
        +	if ((vp->v_type == VCHR || vp->v_type == VBLK) && 
        +	    ((error = suser_xxx(p->p_ucred, p, PRISON_ROOT)) != 0))
        +		return (error);
        +
                VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE);
                vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
                VATTR_NULL(&vattr);
                vattr.va_flags = flags;
                error = VOP_SETATTR(vp, &vattr, p->p_ucred, p);
                VOP_UNLOCK(vp, 0, p);
        -	return error;
        +	return (error);
         }

         /*

    FreeBSD-3.2-stable $B$N>l9g(B:

        Index: kern/vfs_syscalls.c
        ===================================================================
        RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v
        retrieving revision 1.112.2.3
        retrieving revision 1.112.2.5
        diff -u -r1.112.2.3 -r1.112.2.5
        --- vfs_syscalls.c	1999/07/30 01:07:23	1.112.2.3
        +++ vfs_syscalls.c	1999/08/11 21:39:50	1.112.2.5
        @@ -1839,13 +1839,23 @@
                int error;
                struct vattr vattr;

        +  	/*
        +	 * Prevent non-root users from setting flags on devices.  When
        +	 * a device is reused, users can retain ownership of the device
        +	 * if they are allowed to set flags and programs assume that
        +	 * chown can't fail when done as root.
        +	 */
        +	if ((vp->v_type == VCHR || vp->v_type == VBLK) && 
        +	    ((error = suser(p->p_ucred, &p->p_acflag)) != 0))
        +		return (error);
        +
                VOP_LEASE(vp, p, p->p_ucred, LEASE_WRITE);
                vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
                VATTR_NULL(&vattr);
                vattr.va_flags = flags;
                error = VOP_SETATTR(vp, &vattr, p->p_ucred, p);
                VOP_UNLOCK(vp, 0, p);
        -	return error;
        +	return (error);
         }

         /*

    FreeBSD 2.2.8-stable $B$N>l9g(B:

        Index: kern/vfs_syscalls.c
        ===================================================================
        RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/vfs_syscalls.c,v
        retrieving revision 1.51.2.7
        retrieving revision 1.51.2.8
        diff -u -r1.51.2.7 -r1.51.2.8
        --- vfs_syscalls.c	1998/07/03 03:50:31	1.51.2.7
        +++ vfs_syscalls.c	1999/08/04 18:58:56	1.51.2.8
        @@ -1439,6 +1439,17 @@
                if (error)
                        return (error);
                vp = nd.ni_vp;
        +	if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)))
        +		return (error);
        +	/*
        +	 * Prevent non-root users from setting flags on devices.  When
        +	 * a device is reused, users can retain ownership of the device
        +	 * if they are allowed to set flags and programs assume that
        +	 * chown can't fail when done as root.
        +	 */
        +	if ((vp->v_type == VCHR || vp->v_type == VBLK) &&
        +	    ((error = suser(p->p_ucred, &p->p_acflag)) != 0))
        +		return (error);
                LEASE_CHECK(vp, p, p->p_ucred, LEASE_WRITE);
                VOP_LOCK(vp);
                VATTR_NULL(&vattr);

VI.  $B<U<-(B

Theo de Raadt $B;a$+$i>e5-$N%U%!%$%"%&%)!<%kE*$J2r7h:v$rDs0F$$$?$@$-$^$7$?(B.

lumpy@blue.9mm.com $B;a$K$h$C$F$3$NLdBj$,L@$k$_$K=P$^$7$?(B.

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
Security notifications:         security-notifications@freebsd.org
Security public discussion:     freebsd-security@freebsd.org
PGP Key:                ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc

$BCm0U(B: $BK\J8=qCf$K%Q%C%A$,4^$^$l$F$$$k>l9g(B, $BEE;R=pL>$d%a%$%i$N=hM}$GJQ99(B
      $B$5$l$k$?$a(B, $B$=$N$^$^$G$O$-$A$s$HE,MQ$G$-$J$$$+$b$7$l$^$;$s(B. $BI,MW(B
      $B$G$"$l$P(B, $BK\J8=q$NKAF,$K5-:\$7$F$"$k(B URL $B$r;2>H$7$F%*%j%8%J%k$N(B
      $B%3%T!<$rF~<j$7$F$/$@$5$$(B.
=============================================================================





