Date: Mon, 20 May 2002 09:08:02 -0700 (PDT)
From: FreeBSD Security Advisories <security-advisories@freebsd.org.>
To: Bugtraq <bugtraq@securityfocus.com.>
Subject: FreeBSD Security Advisory FreeBSD-SA-02:24.k5su
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-02:24.k5su Security Advisory
The FreeBSD Project
Topic: k5su utility does not honor `wheel' group
Category: kerberos5
Module: kerberos5/usr.bin/k5su
Announced: 2002-05-20
Credits: [email protected]
Affects: FreeBSD 4.4-RELEASE
FreeBSD 4.5-RELEASE
FreeBSD-STABLE prior to the correction date
Corrected: 2002-05-15 12:51:30 UTC (RELENG_4)
2002-05-15 12:56:21 UTC (RELENG_4_5)
2002-05-15 13:04:00 UTC (RELENG_4_4)
FreeBSD only: YES
I. Background
The k5su utility is a SU utility similar to su(1), and is used to
switch privileges after authentication using Kerberos 5 or the local
passwd(5) file. k5su is installed as part of the `krb5' distribution,
or when building from source with MAKE_KERBEROS5 set. Neither of
these are default settings.
II. Problem Description
Historically, the BSD SU utility only allows users who are members
of group `wheel' (group-ID 0) to obtain superuser
privileges. The k5su utility, however, does not honor this convention
and does not verify group membership if a user has successfully
authenticated.
k5su also lacks other features of su(1), such as checking for
password expiration, implementing login classes, and checking
for the target user's login shell in /etc/shells.
III. Impact
Contrary to the expectations of many BSD system administrators, users
not in group `wheel' may use k5su to attempt to obtain superuser
privileges. Note that this would require knowledge of the root
account password, or an explicit entry in the Kerberos 5 `.k5login'
ACL for the root account.
IV. Solution
Remove the set-user-ID bit from the k5su utility:
# chmod u-s /usr/bin/k5su
This will completely disable k5su.
Sites which wish to use Kerberos 5 authentication for SU and are
comfortable with its limitations may choose to leave the set-user-ID
bit enabled. As of the correction date, FreeBSD (including the
upcoming 4.6-RELEASE) will install k5su if requested, but the
set-user-ID bit will not be enabled by default. See also the
ENABLE_SUID_K5SU option in make.conf(5).
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- -------------------------------------------------------------------------
src/UPDATING
RELENG_4 1.73.2.67
RELENG_4_5 1.73.2.50.2.12
RELENG_4_4 1.73.2.43.2.12
src/etc/defaults/make.conf
RELENG_4 1.97.2.65
RELENG_4_5 1.97.2.59.2.1
RELENG_4_4 1.97.2.58.2.1
src/kerberos5/usr.bin/k5su/Makefile
RELENG_4 1.73.2.67
RELENG_4_5 1.97.2.59.2.1
RELENG_4_4 1.1.2.2.2.1
src/share/man/man5/make.conf.5
RELENG_4 1.12.2.16
RELENG_4_5 1.12.2.12.2.1
RELENG_4_4 1.12.2.10.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
Comment: FreeBSD: The Power To Serve
iQCVAwUBPOkdtFUuHi5z0oilAQFd1wP8CUxrBx+DJhQZqLpOocpF4yd8IWclz4Uu
8I8LT5RaWNKMrOt9FB6/jGthRFNqTL72XeDaezxT72IFSUHIpF9wI87aKNVDknPp
vQxh0Pr8/8EqvOLhvT6Hu/20xKrBZe2bht/lUQ/HxrgriaZteTAMfMYL653xgP5U
M+0f/mfSm3w=
=lTOo
-----END PGP SIGNATURE-----