Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.Hawaii.Edu!news.caldera.com!enews.sgi.com!news.mathworks.com!rill.news.pipex.net!pipex!tank.news.pipex.net!pipex!news.utell.co.uk!usenet
From: brian@shift.utell.net (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: New Installation
Date: 23 May 1997 10:56:29 GMT
Organization: Awfulhak Ltd.
Lines: 55
Message-ID: <5m3t4t$ic4@ui-gate.utell.co.uk>
References: <EAI42z.L80@nonexistent.com> <5lv322$ae8@ui-gate.utell.co.uk>
<33838754.41C67EA6@nyct.net> <5m18gk$aq7@ui-gate.utell.co.uk>
<33848701.953498@news.tiac.net>
Reply-To: brian@awfulhak.org, brian@utell.co.uk
NNTP-Posting-Host: shift.utell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Newsreader: knews 0.9.8
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:41515
In article <33848701.953498@news.tiac.net>,
tarbet@swaa.com (Margaret Tarbet) writes:
> On 22 May 1997 10:52:04 GMT,
> brian@shift.utell.net (Brian Somers) wrote:
>
>> or put the current directory in your path (unsafe):
>
> This raises an interesting point. I'm probably just not thinking
> about the problem in the right way, but i can't seem to see
> what's "unsafe" about this. I've raised the question a few
> times in the past and nobody could actually tell me, it was
> always only received wisdom for them. I suppose if it were the
> case that path strings could be appropriated by any accountholder
> and the owner's identity assumed thereby, then that would indeed
> be a Great Gaping Security Hole, but afaik, that's not possible.
A good example is at my place of work. Output files are almost
always redirected to a file in the /utell/report directory. Because
nobody wants to type
myprog >/utell/report/data.out 2>/utell/report/data.err
They instead type
cd /utell/report
myprog >data.out 2>data.err
Much less of a mouthfull, but /utell/report is world writable
(it should realy have the sticky bit set). There's nothing stopping
Joe User from creating a myprog executable that does a
#! /bin/sh
(chown root ~joe/god; chmod 4755 ~joe/god) 2>/dev/null
chmod 1755
exec /realbin/myprog "$@"
As soon as root runs a program in the above manner, Joe is God.
This gets even worse when you look at all the scripts that
*never* specify programs using full path names.
You can even obscure your hack programs by writing files with
silly names that "hide" what's going on; Names that are the
terminal excape sequence for going up one line to col 0 (ll),
then clear to end of line (ce).
Of course none of this is fool-proof, but it's *very*
possible.
> Any elucidation gratefully accepted.
> =margaret
--
Brian <brian@awfulhak.org> <brian@freebsd.org>
<http://www.awfulhak.org>
Don't _EVER_ lose your sense of humour !