NetBSD Problem Report #46774

From www@NetBSD.org  Mon Aug  6 08:05:43 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 1776263B882
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  6 Aug 2012 08:05:43 +0000 (UTC)
Message-Id: <20120806080542.352B463B85F@www.NetBSD.org>
Date: Mon,  6 Aug 2012 08:05:42 +0000 (UTC)
From: andrews@sdf.lonestar.org
Reply-To: andrews@sdf.lonestar.org
To: gnats-bugs@NetBSD.org
Subject: Root access without even trying / pkgsrc xdm 1.1.11nb1 badly broken
X-Send-Pr-Version: www-1.0

>Number:         46774
>Category:       pkg
>Synopsis:       Root access without even trying / pkgsrc xdm 1.1.11nb1 badly broken
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    bjs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 06 08:10:00 +0000 2012
>Last-Modified:  Tue Aug 07 12:20:01 +0000 2012
>Originator:     Andrew Smallshaw
>Release:        5.1 release
>Organization:
>Environment:
NetBSD n1a 5.1 NetBSD 5.1 (GENERIC) #1: Mon Feb 20 19:25:38 GMT 2012  root@furble:/usr/src/sys/arch/i386/compile/GENERIC i386
>Description:
xdm 1.1.11nb1 is sufficiently badly broken that it's actually difficult to say precisely what's up with it.  However the symptoms are:

- Xsetup scripts do not appear the be called regardless of what is stated in xdm-config.

- A script also seems to be missing immediately after user login.  Basic variables such as PATH are not set to sane initial values.

- No user change takes effect.  xdm accepts username and password then invokes user's .xsession AS ROOT.  Any xterms or similar opened up in the following X session are in fact root prompts.

Obviously it is that last one that has the security implications which is why I have categorized this as critical, but it I strongly suspect there is some other underlying root cause of all these issues.
>How-To-Repeat:
Try building and using xdm from a current pkgsrc of a recent stable release.
>Fix:
Not really a fix but highly effective: roll back to 1.1.9nb1 as the last known good version:

cd /usr/pkgsrc/x11/xdm
cvs update -rpkgsrc-2010Q1

It seems that there are few enough dependencies mixing up versions like this causes no big issue.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: security-officer->bjs
Responsible-Changed-By: jnemeth@NetBSD.org
Responsible-Changed-When: Mon, 06 Aug 2012 17:13:31 +0000
Responsible-Changed-Why:
Package was miscategorised.  security is for problems with things in base.
Change category to pkg and assign to MAINTAINER.


From: "OBATA Akio" <obache@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/46774 (Root access without even trying / pkgsrc xdm 1.1.11nb1
 badly broken)
Date: Tue, 07 Aug 2012 21:17:29 +0900

 1. install x11/xdm with X11_TYPE=modular
 2. /usr/pkg/share/example/rc.d/xdm onestart with `root' user.
 3. login my user and password via XDM
 4. cat ~/.xsession
     xterm&
     exec twm
 5. prompt of xterm is mine

 Please let me know how to reproduce your problem.

 -- 
 OBATA Akio / obache@NetBSD.org

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.