Date: Sun, 14 Jul 1996 17:41:02 -0600 (MDT) From: marcs@worldgate.com To: FreeBSD-gnats-submit@freebsd.org Subject: docs/1383: ppp(8) man page suggests using shell script for login shell Message-ID: <199607142341.RAA26793@scanner.worldgate.com> Resent-Message-ID: <199607142350.QAA12537@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1383
>Category: docs
>Synopsis: ppp(8) man page suggests using shell script for login shell
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 14 16:50:01 PDT 1996
>Last-Modified:
>Originator: Marc Slemko
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
FreeBSD 2.1.0-RELEASE, 2.1.5-RELEASE and current.
>Description:
Around line 465 of the ppp(8) man page source there is a suggested login
shell to be used for PPP users:
#!/bin/sh
/usr/sbin/ppp -direct
It is a shell script. That means there is some security risk in that
any user with the suggested shell script for their login shell can get
an interactive shell quite easily in most cases. In itself, this is
not strictly a security hole but it is unexpected behavior to many
people.
>How-To-Repeat:
There are many potential problems; one trivial way to exploit the
problem is detailed below.
Create a user with the suggested shell script as their login shell.
Then:
------------------------------------------------------------
$ telnet
telnet> environ define ENV /etc/shells
telnet> environ export ENV
telnet> open destination
Trying 192.168.0.1...
Connected to destination.
Escape character is '^]'.
FreeBSD (destination) (ttyp0)
login: user
Password:
Last login: Sun Jul 14 17:27:16 from source
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights
reserved.
Cannot fork
$
------------------------------------------------------------
The user now has a shell. They can't immediately run any other
programs, since the various shells have started copy after copy until
the user's process limit was reached, but that is trivial to get
around.
>Fix:
Either:
- document the possible security implications
- change the sample script to a perl script (probably more
secure, but not really a great solution)
- change the sample script to a C wrapper and possibly include
and/or install the source/binary as a separate file (probably
the best solution)
Note that, IMHO, whatever script or wrapper is used should be sure to exec
ppp; no sense in having a program hanging around for no reason doing
nothing more than wait for ppp to exit.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607142341.RAA26793>