********************************************************************** DDN MGT Bulletin 58 DCA DDN Defense Communications System 24 Apr 89 Published by: DDN Network Info Center (NIC@SRI-NIC.ARPA) (800) 235-3155 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The pathname for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the bulletin number). ********************************************************************** SECURITY PROBLEM IN `FCHOWN' COMMAND APPLICABLE OPERATING SYSTEM: UNIX (unmodified 4.3BSD and 4.3BSD-tahoe) PROBLEM: There's a security problem associated with 4.3BSD and 4.3BSD-tahoe systems involving the chown(2) system call. STATUS: The enclosed fix was broadcast on comp.bugs.4bsd.ucb-fixes as patch V1.77. CONTACTS: CERT at (412) 268-7090 for general problem information. SRI/NIC at 1-800-235-3155 for general information. Your vendor for your site-specific information. NOTE(1): This bulletin represents the best information available at this time to fix this problem. As with any program modification, CHECK WITH YOUR VENDOR BEFORE APPLYING. NOTE(2): Only those sites which have acquired these operating systems directly from Berkeley sources and not through a vendor are known to be affected. It may exist in 4.3BSD derived systems; contact your vendor for more information. - ---------------------------- PATCH FOLLOWS ---------------------------- *** /tmp/d04748 Thu Jan 26 21:04:17 1989 - --- ufs_syscalls.c Wed Jan 25 09:44:50 1989 *************** *** 3,9 **** * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. * ! * @(#)ufs_syscalls.c 7.3 (Berkeley) 4/18/87 */ #include "param.h" - --- 3,9 ---- * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. * ! * @(#)ufs_syscalls.c 7.4 (Berkeley) 1/24/89 */ #include "param.h" *************** *** 600,607 **** int uid; int gid; } *uap = (struct a *)u.u_ap; ! if ((ip = owner(uap->fname, NOFOLLOW)) == NULL) return; u.u_error = chown1(ip, uap->uid, uap->gid); iput(ip); - --- 600,612 ---- int uid; int gid; } *uap = (struct a *)u.u_ap; + register struct nameidata *ndp = &u.u_nd; ! ndp->ni_nameiop = LOOKUP | NOFOLLOW; ! ndp->ni_segflg = UIO_USERSPACE; ! ndp->ni_dirp = uap->fname; ! ip = namei(ndp); ! if (ip == NULL) return; u.u_error = chown1(ip, uap->uid, uap->gid); iput(ip); *************** *** 647,655 **** uid = ip->i_uid; if (gid == -1) gid = ip->i_gid; ! if (uid != ip->i_uid && !suser()) ! return (u.u_error); ! if (gid != ip->i_gid && !groupmember((gid_t)gid) && !suser()) return (u.u_error); #ifdef QUOTA if (ip->i_uid == uid) /* this just speeds things a little */ - --- 652,664 ---- uid = ip->i_uid; if (gid == -1) gid = ip->i_gid; ! /* ! * If we don't own the file, are trying to change the owner ! * of the file, or are not a member of the target group, ! * the caller must be superuser or the call fails. ! */ ! if ((u.u_uid != ip->i_uid || uid != ip->i_uid || ! !groupmember((gid_t)gid)) && !suser()) return (u.u_error); #ifdef QUOTA if (ip->i_uid == uid) /* this just speeds things a little */ - -------