On Tue, 2006-09-26 at 21:08 -0400, Wesley Craig wrote:
> On 26 Sep 2006, at 20:53, Jon Oberheide wrote:
> > /* we checked sizes when we wrote this data to a trusted file =20
> > system */
> > Why does cosign make such an assumption? It's not a stretch to =20
> > imagine
> > cosign's file store mounted over the network via NFS for example. An
> > attack compromising the NFS box could lead to the compromise of the
> > cosign server as well under this assumption.
> The data in the file system is the only thing valuable that the =20
> cosign server manages, more or less. It contains all of the logged =20
> in users' credentials, and tells every cosign protected server who =20
> every user is. The comment "trusted file system" means, "if you =20
> can't trust your file system, you've made an unrecoverable mistake." =20
Understood, but it just seems silly to be strcpy'ing into a static
buffer, trusted or not. Throw in a few strlcpy's and sanity checks and
that unrecoverable mistake may become an auditable log event.
> If you think this is a bad assumption, feel free to submit a patch.
I'd love to, but I'm currently just getting my feet wet in the codebase.
> BTW, are you reviewing cosign's comments for fun or profit?
For fun, of course! Although profit is a good idea, perhaps a cosign
bounty? I would commit $100 (and I'm a poor, starving student!) for the
discovery of a remote hole resulting in session compromise/code
execution/priviledge escalation via the browser or service host vector.
Jon Oberheide <jonojono@...>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE