Date: Sun, 14 Jul 1996 17:41:02 -0600 (MDT) From: marcs@worldgate.com To: FreeBSD-gnats-submit@freebsd.org Subject: docs/1383: ppp(8) man page suggests using shell script for login shell Message-ID: <199607142341.RAA26793@scanner.worldgate.com> Resent-Message-ID: <199607142350.QAA12537@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1383 >Category: docs >Synopsis: ppp(8) man page suggests using shell script for login shell >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Jul 14 16:50:01 PDT 1996 >Last-Modified: >Originator: Marc Slemko >Organization: >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD 2.1.0-RELEASE, 2.1.5-RELEASE and current. >Description: Around line 465 of the ppp(8) man page source there is a suggested login shell to be used for PPP users: #!/bin/sh /usr/sbin/ppp -direct It is a shell script. That means there is some security risk in that any user with the suggested shell script for their login shell can get an interactive shell quite easily in most cases. In itself, this is not strictly a security hole but it is unexpected behavior to many people. >How-To-Repeat: There are many potential problems; one trivial way to exploit the problem is detailed below. Create a user with the suggested shell script as their login shell. Then: ------------------------------------------------------------ $ telnet telnet> environ define ENV /etc/shells telnet> environ export ENV telnet> open destination Trying 192.168.0.1... Connected to destination. Escape character is '^]'. FreeBSD (destination) (ttyp0) login: user Password: Last login: Sun Jul 14 17:27:16 from source Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. Cannot fork $ ------------------------------------------------------------ The user now has a shell. They can't immediately run any other programs, since the various shells have started copy after copy until the user's process limit was reached, but that is trivial to get around. >Fix: Either: - document the possible security implications - change the sample script to a perl script (probably more secure, but not really a great solution) - change the sample script to a C wrapper and possibly include and/or install the source/binary as a separate file (probably the best solution) Note that, IMHO, whatever script or wrapper is used should be sure to exec ppp; no sense in having a program hanging around for no reason doing nothing more than wait for ppp to exit. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607142341.RAA26793>