NetBSD Problem Report #40576

From www@NetBSD.org  Sun Feb  8 16:40:02 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 0826263B896
	for <gnats-bugs@gnats.netbsd.org>; Sun,  8 Feb 2009 16:40:02 +0000 (UTC)
Message-Id: <20090208164001.CC19763B882@narn.NetBSD.org>
Date: Sun,  8 Feb 2009 16:40:01 +0000 (UTC)
From: luke@maurits.id.au
Reply-To: luke@maurits.id.au
To: gnats-bugs@NetBSD.org
Subject: veriexecgen sets no explicit access mode for some files and the default behaviour of veriexec in face of this cause errors
X-Send-Pr-Version: www-1.0

>Number:         40576
>Category:       security
>Synopsis:       veriexecgen sets no explicit access mode for some files and the default behaviour of veriexec in face of this cause errors
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 08 16:45:00 +0000 2009
>Last-Modified:  Fri May 08 15:55:01 +0000 2009
>Originator:     Luke Maurits
>Release:        5.0_RC1
>Organization:
>Environment:
NetBSD sumomo 5.0_RC1 NetBSD 5.0_RC1 (GENERIC) #0: Wed Jan 28 10:59:04 PST 2009  builds@wb25:/home/builds/ab/netbsd-5/i386/200901280002Z-obj/home/builds/ab/netbsd-5/src/sys/arch/i386/compile/GENERIC i386
>Description:
After running veriexecgen(8) on an install of NetBSD 5.0 RC1 and putting the line 'veriexec=YES' in /etc/rc.conf and rebooting, the following errors are generated:

Veriexec: Incorrect access type. [/bin/sh, prog=sh pid=232, uid=0, gid=0]
Veriexec: Incorrect access type. [/usr/libexec/virecover, prog=sh pid=232, uid=0, gid=0]
Veriexec: Incorrect access type. [/bin/sh, prog=postfix pid=281, uid=0, gid=0]
Veriexec: Incorrect access type. [/bin/sh, prog=sh pid=304, uid=0, gid=0]
Veriexec: Incorrect access type. [/bin/sh, prog=sh pid=327, uid=0, gid=0]
Veriexec: Incorrect access type. [/bin/sh, prog=file pid=620, uid=0, gid=0]

Inspection of /etc/signatures reveals that files in /lib and /usr/lib have access types explicitly specified ("file, indirect") but files in directories used for executables (e.g. /bin, /sbin/, etc.) have no explicitly given types.

Previous discussion seems to suggest that the intention (as described in man pages) has always been that, in the face of no explicit settings, the default should be to facilitate both direct and indirect execution, but that this has not always worked due to a bug.  See, e.g.:

http://mail-index.netbsd.org/tech-kern/2008/02/19/msg000395.html

Note in particular: "You are correct, looking at the code it seems that only "direct" is set".

Manually editing /etc/signatures and adding only "direct" as an access mode for /bin/sh did nothing to fix my error messages.  Editing the file again and also adding "indirect" removed all the errors associated with /bin/sh.  It seems like this old issue has not been fixed - in the absence of an explicit access type setting, veriexec assumes only direct and not indirect access.
>How-To-Repeat:
* Install NetBSD 5.0 RC_1
* Run 'veriexecctl'
* Add 'veriexec=YES' to /etc/rc.conf
* Reboot
* Watch kernel output during boot (or examine dmesg after logging in)
>Fix:
End users can fix the problem by manually editing /etc/signatures to specify required access types for files which do not have explicit settings given by veriexecgen.

The NetBSD project can fix the problem by:

1) Changing veriexecgen to explicitly set correct access types for all files in places where it can be relatively certain as to the appropriate setings.

and/or

2) Changing the behaviour of veriexec so that in the absence of an explicit access type setting, both direct and indirect access are allowed.

>Audit-Trail:
From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: security/40576: veriexecgen sets no explicit access mode for some 
	files and the default behaviour of veriexec in face of this cause errors
Date: Fri, 8 May 2009 18:53:10 +0300

 There are two issues here.

 First, the kernel sets "direct" if no flags are specified. I think
 it's right -- the messages you're seeing should be considered
 "diagnostic" in low strict levels, and they give you the opportunity
 to adjust your fingerprints file. Furthermore, the documentation
 suggests to use strict level 0 ("learning" mode) to fine-tune the
 database.

 That said, I plan on adding functionality to veriexecgen largely based
 on code from mjf@ (with some tiny tweaks from me) to allow "heuristic"
 guessing of the flags.

 Thanks,

 -e.

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.