more security bugs

6.2 Release seems to me to be completely insecure.

Similar bug as in phshutdown exists in phlocale.
Link your ~/.ph/.ABLANG to any file, and this file will be overwritten.
Ownership will be set to user, which is even more dangerous, then in
phshutdown. You can edit /etc/passwd this way or any other system
critical file.

Next:permissions. Something awful is happening with executable files
permissions, when using pkg-installer.
Directory ‘/boot’ and some subdirectories, in which all system files are
stored (ifs & qfs) is world-writeable.
Some executables from default installation are world-writeable, like
ALL Photon games, phrelay(phrelaycfg too!), ICA.

Almost all the stuff from QNX 3-rd party CD installs world writeable,
and makes ‘/usr’ world-writeable too. Why ? I do not thing it is good
idea to extend package directory permissions on existing (system!)
directories. Some packages contain binaries with pretty weird uid:gid
set, like ssh, sigc++ and many others.
Some examples of packages, installing binaries world-writeable: emacs,
gdb, libraries, zsh and lots of others.
Just try to find them all with ‘find / -perm 0666’. (find / -perm 0777)
This is critical security bug, and even Linux (which is the buggiest
unixish system over all) doesn’t have such a bugs.

Maybe this is a good idea to embed some rules into
packager/pkg-installer to avoid such things ? Let it accept default
uids and gids, and suitable for running multiuser system permissions.

Dmitry

P.S. I use my system at home, and I do not allow any user to access my
machine. But developers’ machines could be installed in huge corporate
LANs and such a weak-secured machine, as QNX in default install (who
cares about their security, anyway?), could be compromised and be a
‘tunnel’ for a malicious person. IMO, QNX should be secure OS, at least
not providing such things, like world-writeable binaries in default
installation.

Thank you for your findings. We’re in the process of a security audit even
as I write this. I’m forwarding this post to the concerned developers.

cheers,

Kris

“Dmitry Alexeyev” <dmi@qnx.org.ru> wrote in message
news:3D7CE140.5040106@qnx.org.ru…

6.2 Release seems to me to be completely insecure.

Similar bug as in phshutdown exists in phlocale.
Link your ~/.ph/.ABLANG to any file, and this file will be overwritten.
Ownership will be set to user, which is even more dangerous, then in
phshutdown. You can edit /etc/passwd this way or any other system
critical file.

Next:permissions. Something awful is happening with executable files
permissions, when using pkg-installer.
Directory ‘/boot’ and some subdirectories, in which all system files are
stored (ifs & qfs) is world-writeable.
Some executables from default installation are world-writeable, like
ALL Photon games, phrelay(phrelaycfg too!), ICA.

Almost all the stuff from QNX 3-rd party CD installs world writeable,
and makes ‘/usr’ world-writeable too. Why ? I do not thing it is good
idea to extend package directory permissions on existing (system!)
directories. Some packages contain binaries with pretty weird uid:gid
set, like ssh, sigc++ and many others.
Some examples of packages, installing binaries world-writeable: emacs,
gdb, libraries, zsh and lots of others.
Just try to find them all with ‘find / -perm 0666’. (find / -perm 0777)
This is critical security bug, and even Linux (which is the buggiest
unixish system over all) doesn’t have such a bugs.

Maybe this is a good idea to embed some rules into
packager/pkg-installer to avoid such things ? Let it accept default
uids and gids, and suitable for running multiuser system permissions.

Dmitry

P.S. I use my system at home, and I do not allow any user to access my
machine. But developers’ machines could be installed in huge corporate
LANs and such a weak-secured machine, as QNX in default install (who
cares about their security, anyway?), could be compromised and be a
‘tunnel’ for a malicious person. IMO, QNX should be secure OS, at least
not providing such things, like world-writeable binaries in default
installation.

Dmitry, are you using the updated fs-pkg from the developers site? I have
the entire 3rd party cd installed + the fs-pkg update on all my machines (here and
at home) and my /usr isn’t world writeable on any of these.


Kris Warkentin <kewarken@qnx.com> wrote:

Thank you for your findings. We’re in the process of a security audit even
as I write this. I’m forwarding this post to the concerned developers.

cheers,

Kris

“Dmitry Alexeyev” <> dmi@qnx.org.ru> > wrote in message
news:> 3D7CE140.5040106@qnx.org.ru> …
6.2 Release seems to me to be completely insecure.

Similar bug as in phshutdown exists in phlocale.
Link your ~/.ph/.ABLANG to any file, and this file will be overwritten.
Ownership will be set to user, which is even more dangerous, then in
phshutdown. You can edit /etc/passwd this way or any other system
critical file.

Next:permissions. Something awful is happening with executable files
permissions, when using pkg-installer.
Directory ‘/boot’ and some subdirectories, in which all system files are
stored (ifs & qfs) is world-writeable.
Some executables from default installation are world-writeable, like
ALL Photon games, phrelay(phrelaycfg too!), ICA.

Almost all the stuff from QNX 3-rd party CD installs world writeable,
and makes ‘/usr’ world-writeable too. Why ? I do not thing it is good
idea to extend package directory permissions on existing (system!)
directories. Some packages contain binaries with pretty weird uid:gid
set, like ssh, sigc++ and many others.
Some examples of packages, installing binaries world-writeable: emacs,
gdb, libraries, zsh and lots of others.
Just try to find them all with ‘find / -perm 0666’. (find / -perm 0777)
This is critical security bug, and even Linux (which is the buggiest
unixish system over all) doesn’t have such a bugs.

Maybe this is a good idea to embed some rules into
packager/pkg-installer to avoid such things ? Let it accept default
uids and gids, and suitable for running multiuser system permissions.

Dmitry

P.S. I use my system at home, and I do not allow any user to access my
machine. But developers’ machines could be installed in huge corporate
LANs and such a weak-secured machine, as QNX in default install (who
cares about their security, anyway?), could be compromised and be a
‘tunnel’ for a malicious person. IMO, QNX should be secure OS, at least
not providing such things, like world-writeable binaries in default
installation.

No, I do not have the patch installed. And I have no clue about how
‘/usr/’ became world-writeable, I’ll try to find the way it happend and
post here if succed. But I still think the Package Installer should
check for such thing.

Dmitry

David Rempel wrote:

Dmitry, are you using the updated fs-pkg from the developers site? I have
the entire 3rd party cd installed + the fs-pkg update on all my machines (here and
at home) and my /usr isn’t world writeable on any of these.

Updated versions of phshutdown and phlocale have been posted on the updates page. These should plug those holes
in security up. You’ll probably want to remove the $(HOME)/.ph/.ABLANG and $(HOME)/.ph/phshutdown.cfg files
so that they get created with the proper permissions after installing these versions.

http://www.qnx.com/developer/download/updates/

Dave Rempel

Thank you, David!

Just posted news about it on qnx.org.ru

Dmitry

David Rempel ÐÉÛÅÔ:

Updated versions of phshutdown and phlocale have been posted on the updates page. These should plug those holes
in security up. You’ll probably want to remove the $(HOME)/.ph/.ABLANG and $(HOME)/.ph/phshutdown.cfg files
so that they get created with the proper permissions after installing these versions.

http://www.qnx.com/developer/download/updates/

Dave Rempel