A Little Tip for OpenBSD Users of KDE

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

A Little Tip for OpenBSD Users of KDE

dfeustel
Don't use sudo in any konsole session.
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Tobias Ulmer
On Mon, Dec 26, 2005 at 11:39:22AM -0500, Dave Feustel wrote:
> Don't use sudo in any konsole session.

Dave, either you tell us _why_ you think it's bad, or keep your tips to
yourself and stop causing confusion.

Tobias :)

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Mike Hernandez-3
In reply to this post by dfeustel
On 12/26/05, Dave Feustel <[hidden email]> wrote:
> Don't use sudo in any konsole session.

That's odd. Why shouldn't  you use sudo?

Mike

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Simon Morgan
In reply to this post by Tobias Ulmer
On 26/12/05, Tobias Ulmer <[hidden email]> wrote:
> On Mon, Dec 26, 2005 at 11:39:22AM -0500, Dave Feustel wrote:
> > Don't use sudo in any konsole session.
>
> Dave, either you tell us _why_ you think it's bad, or keep your tips to
> yourself and stop causing confusion.

I assume:

http://marc.theaimsgroup.com/?t=113499403500001

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

J.C. Roberts-2
In reply to this post by dfeustel
On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel
<[hidden email]> wrote:

>Don't use sudo in any konsole session.

Dave,

I don't think you're nuts but the fear mongering without providing any
proof or details of a compromise is questionable at best.

If you really were compromised while running OpenBSD, you aren't the
first and probably won't be the last. As for leaving a terminal window
open with root privs, sudo or su, it has *always* been a bad idea:

http://seclists.org/lists/bugtraq/2002/May/0294.html

As you can see from what happened to Dug Song and monkey.org, the
problem may not be konsole itself, instead, your sudo-enabled konsole
session could have been taken over via an exploit in some other
application you are running.

jcr

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

dfeustel
On Monday 26 December 2005 22:12, J.C. Roberts wrote:
> On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel
> <[hidden email]> wrote:
>
> >Don't use sudo in any konsole session.
>
> Dave,
>
> I don't think you're nuts but the fear mongering without providing any
> proof or details of a compromise is questionable at best.

 
> If you really were compromised while running OpenBSD, you aren't the
> first and probably won't be the last. As for leaving a terminal window
> open with root privs, sudo or su, it has *always* been a bad idea:

I never run root any more. Just long enough to install, add a user or two,
and set up sudo. I have added a large number of packages and also
compiled and installed other software not in the OpenBSD package
collection. So I may have introduced a few holes at the user level myself.

I have constantly been looking for signs of changes only possible via root.
So far I have almost been able to convince myself that the intruder is doing
whatever with my user privileges only. I am prepared to reinstall OpenBSD
from scratch without Xorg and KDE if I become convinced that root access
has been compromised.

My respect for OpenBSD's security has increased substantially during the past
few days. I think the security problems I am experiencing are in Xorg and KDE
sockets. Rm'ing all the files in /tmp and Tmp (I have TMPDIR=/home/daf/Tmp)
and then exiting and restarting KDE seems to disable the intruder temporarily.
There also is some problem with DCOPserver, but again, restarting KDE seems
to fix that.
 
> http://seclists.org/lists/bugtraq/2002/May/0294.html
>
> As you can see from what happened to Dug Song and monkey.org, the
> problem may not be konsole itself, instead, your sudo-enabled konsole
> session could have been taken over via an exploit in some other
> application you are running.

I'm not familiar with what happened to Dug Song, The problem with using
Sudo in a Konsole session is that either the sudo password may be captured for
use in subsequent login, or (and I don't know whether this is possible) an
eavesdropper might inject sudo commands during the 5-minute window
that sudo remains enabled. The remedy for this is to always switch back to your
login console when typing in passwords and using sudo since the login console is
secure. This is possible by executing startkde &.  This problem exists because
the kde pty allocation program shipped with KDE was not ported to OpenBSD,
the result being that all the OpenBSD [pt]typ's allocated to konsole sessions
by KDE are root-owned and world rw. There is also a problem with the socket
/tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
presentation on XFree86 from about 2002.
>
> jcr
>
I have learned a lot about OpenBSD, Xorg and KDE in the last week dealing
with this problem. If I weren't an OpenBSD diehard before, I certainly am now.

Dave Feustel
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Otto Moerbeek
On Tue, 27 Dec 2005, Dave Feustel wrote:

> by KDE are root-owned and world rw. There is also a problem with the socket
> /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
> presentation on XFree86 from about 2002.

Dunno about KDE but can you elaborate or give refs why having a world
writable unix domain socket is considered a problem?

The references I've found talk about a missing sticky bit on the
/tmp/.X11-unix dir, which is something different.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Greg Thomas-3
In reply to this post by dfeustel
On 12/27/05, Dave Feustel <[hidden email]> wrote:

> On Monday 26 December 2005 22:12, J.C. Roberts wrote:
> > On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel
> > <[hidden email]> wrote:
> >
> > >Don't use sudo in any konsole session.
> >
> > Dave,
> >
> > I don't think you're nuts but the fear mongering without providing any
> > proof or details of a compromise is questionable at best.
>
>
> > If you really were compromised while running OpenBSD, you aren't the
> > first and probably won't be the last. As for leaving a terminal window
> > open with root privs, sudo or su, it has *always* been a bad idea:
>
> I never run root any more. Just long enough to install, add a user or two,
> and set up sudo. I have added a large number of packages and also
> compiled and installed other software not in the OpenBSD package
> collection. So I may have introduced a few holes at the user level myself.
>
> I have constantly been looking for signs of changes only possible via root.
> So far I have almost been able to convince myself that the intruder is doing
> whatever with my user privileges only.

Have you done any intrusion detection beyond this?  What's your
network topology?  What is your first impression of how the intruder
is getting in?  Is it another local user, i.e. one who already has an
account on your box?  If there are no other local users on your box
are you monitoring connections to the possibly exploited system from
another system?

Greg

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

dfeustel
In reply to this post by Otto Moerbeek
On Tuesday 27 December 2005 11:05, Otto Moerbeek wrote:
>
> On Tue, 27 Dec 2005, Dave Feustel wrote:
>
> > by KDE are root-owned and world rw. There is also a problem with the socket
> > /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
> > presentation on XFree86 from about 2002.
>
> Dunno about KDE but can you elaborate or give refs why having a world
> writable unix domain socket is considered a problem?

Here is a presentation of XFree86 security issues that I found yesterday
that seems to be relevant. X0 permissions are specifically addressed. I am
definitely having fewer (if any) problems after several times rm'ing the tmp
files associated with Xorg and KDE. I've done it with no problems except
when I do it while KDE is running. Then DCOP dies. The most reliable way
of reactivating DCOP correctly is (right now) to reboot KDE.

http://www.openbsd.org/papers/xf86-sec.pdf
--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Otto Moerbeek
On Tue, 27 Dec 2005, Dave Feustel wrote:

> On Tuesday 27 December 2005 11:05, Otto Moerbeek wrote:
> >
> > On Tue, 27 Dec 2005, Dave Feustel wrote:
> >
> > > by KDE are root-owned and world rw. There is also a problem with the socket
> > > /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
> > > presentation on XFree86 from about 2002.
> >
> > Dunno about KDE but can you elaborate or give refs why having a world
> > writable unix domain socket is considered a problem?
>
> Here is a presentation of XFree86 security issues that I found yesterday
> that seems to be relevant. X0 permissions are specifically addressed. I am
> definitely having fewer (if any) problems after several times rm'ing the tmp
> files associated with Xorg and KDE. I've done it with no problems except
> when I do it while KDE is running. Then DCOP dies. The most reliable way
> of reactivating DCOP correctly is (right now) to reboot KDE.
>
> http://www.openbsd.org/papers/xf86-sec.pdf

Indeed this paper mentions problems withg unix domain sockets. But it
is talking about socket _creation_, not _using_ the a unix domain
socket.

So far you only have given very vague, circumstantial evidence.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Daniel Ouellet
Dave,

I keep reading your emails and many answer to them as well. So far,
nothing is evidence or anything yet. Also, based on some of your latests
emails, look like the intruder is still coming back to your box still
and you reboot the KDE to kick him/here out.

Look like you are saying there is a security problem, but yet you still
provide no details what so ever on your setup, what you do, what's
install, how he/she may get into, etc.

If there is really a problem, then provide the informations, all of it.
If the intruder is still coming in, then the entry door is still open
then. So, I am not saying this should be done, but either provide all
the details, or may be even better if someone from the project want to
look at it as it is happening, then let them do so, if they want to
obviously.

If there is any security problem in OpenBSD of any kind, I am sure many
developers would be all over it by now, but it doesn't look to me that
there is one, project related anyway, or if it is from some packages
provided by the project as well, I am sure they would love to know that
and address it! After all they live for that, way of speaking anyway!

With all due respect to you and I intend no disrespect what so ever, it
really start to be annoying more then helping. Please provide details,
ALL of it so that better mind can look at it seriously and if there is a
problem, address it ASAP.

If instead you try to keep the informations for yourself, for what ever
reason, then so do it. But in all fairness what you do now is very much
annoying at best. Again, believe me, I mean no offense to you or anyone
else, but it is just how it is from my side. SO, if there is a real
problem, put it under the spotlight and let get it fix, or else.

Just an idea and that was my first and last email on that one.

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Ted Unangst-2
In reply to this post by Otto Moerbeek
On 12/27/05, Otto Moerbeek <[hidden email]> wrote:
> On Tue, 27 Dec 2005, Dave Feustel wrote:
>
> > by KDE are root-owned and world rw. There is also a problem with the socket
> > /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
> > presentation on XFree86 from about 2002.
>
> Dunno about KDE but can you elaborate or give refs why having a world
> writable unix domain socket is considered a problem?

this is obviously a source of confusion.  the permissions on a socket
mean *nothing*.  anyone can open any socket regardless of permissions,
so long as they have necessary directory permissions to find it.

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

dfeustel
In reply to this post by Daniel Ouellet
Marc Espie and Dirk at kde have acknowledged the security problem OpenBSD
has with kde kgrantpty. The problem with /tmp/.X11-unix/X0 addressed by the
2003 paper on XFree86 still exists today with Xorg. If the rest of you fail to see
the problem, even when the evidence is available to you on your respective
systems, so be it.

On Tuesday 27 December 2005 14:56, Daniel Ouellet wrote:

> Dave,
>
> I keep reading your emails and many answer to them as well. So far,
> nothing is evidence or anything yet. Also, based on some of your latests
> emails, look like the intruder is still coming back to your box still
> and you reboot the KDE to kick him/here out.
>
> Look like you are saying there is a security problem, but yet you still
> provide no details what so ever on your setup, what you do, what's
> install, how he/she may get into, etc.
>
> If there is really a problem, then provide the informations, all of it.
> If the intruder is still coming in, then the entry door is still open
> then. So, I am not saying this should be done, but either provide all
> the details, or may be even better if someone from the project want to
> look at it as it is happening, then let them do so, if they want to
> obviously.
>
> If there is any security problem in OpenBSD of any kind, I am sure many
> developers would be all over it by now, but it doesn't look to me that
> there is one, project related anyway, or if it is from some packages
> provided by the project as well, I am sure they would love to know that
> and address it! After all they live for that, way of speaking anyway!
>
> With all due respect to you and I intend no disrespect what so ever, it
> really start to be annoying more then helping. Please provide details,
> ALL of it so that better mind can look at it seriously and if there is a
> problem, address it ASAP.

Quite frankly, it is becoming clear to me that I'm better off to keep
quiet about things I become aware of. And not just wrt computers.
I'm perhaps relearning that lesson quite late in life. I was told in 7th
Grade by an exasperated history teacher "you don't let people *know*
that(what?) you know"! One of my survival skill perhaps? :-)
 
> If instead you try to keep the informations for yourself, for what ever
> reason, then so do it. But in all fairness what you do now is very much
> annoying at best. Again, believe me, I mean no offense to you or anyone
> else, but it is just how it is from my side. SO, if there is a real
> problem, put it under the spotlight and let get it fix, or else.
>
> Just an idea and that was my first and last email on that one.
>
> Daniel

Your comments are taken in the spirit in which they are offered.

I'll try hard in the future to let sleeping dogs lay.

Happy New Year,
Dave

--
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Otto Moerbeek
In reply to this post by Ted Unangst-2
On Tue, 27 Dec 2005, Ted Unangst wrote:

> On 12/27/05, Otto Moerbeek <[hidden email]> wrote:
> > On Tue, 27 Dec 2005, Dave Feustel wrote:
> >
> > > by KDE are root-owned and world rw. There is also a problem with the socket
> > > /tmp/.X11-unix/X0. This is documented on the web and even in an OpenBSD
> > > presentation on XFree86 from about 2002.
> >
> > Dunno about KDE but can you elaborate or give refs why having a world
> > writable unix domain socket is considered a problem?
>
> this is obviously a source of confusion.  the permissions on a socket
> mean *nothing*.  anyone can open any socket regardless of permissions,
> so long as they have necessary directory permissions to find it.

That used to be the case. But since quite some time, you'll need
write permission to open a unix domain socket.

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/kern/uipc_usrreq.c?rev=1.2&content-type=text/x-cvsweb-markup

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Ted Unangst-2
On 12/27/05, Otto Moerbeek <[hidden email]> wrote:
> > this is obviously a source of confusion.  the permissions on a socket
> > mean *nothing*.  anyone can open any socket regardless of permissions,
> > so long as they have necessary directory permissions to find it.
>
> That used to be the case. But since quite some time, you'll need
> write permission to open a unix domain socket.

wow, crazy.  i knew it was like that on linux, but never checked at home. :)

Reply | Threaded
Open this post in threaded view
|

Re: A Little Tip for OpenBSD Users of KDE

Damien Miller
In reply to this post by dfeustel
Dave Feustel wrote:
> The problem with /tmp/.X11-unix/X0 addressed by the
> 2003 paper on XFree86 still exists today with Xorg.

What problem? X11 implements its own authentication.

-d