Date: Thu, 19 Sep 1996 08:17:13 -0400 From: Gary Chrysler <tcg@ime.net> To: moos@degnet.baynet.de Cc: Benjamin Lewis <blewis@vet.purdue.edu>, FreeBSD-questions <questions@freebsd.org> Subject: Re: Quick Question Message-ID: <324139C9.748F@ime.net> References: <199609182000.PAA05245@ylana.vet.purdue.edu> <32412602.6D2@degnet.baynet.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Darius Moos wrote: > > Yes you are right ... BUT this security-hole only occures if you are a > lazy administrator (sorry, i do NOT want to say you are a lazy). > I would never ever execute files as root that belong to other users. > Doing so is really a security-hole. The administrator has always a > simple user-account to play around in the system. It would be my > fault when i'm executing unknown programms as root. When i could not > resist, i'd do it as the unprivileged user. > The other point is that IMHO adding "." to the end of the PATH-variable > is harmless. Assume i had a user who wrote a little programm that is > able to crash my system and names it "mv"; he saves it to his home- > directory and i as root are staying in his home-directory. Even when > i type "mv ..." the right thing would happen: "/bin/mv ..." would > be executed and NOT "<home-of-evil-user>/mv ...". > The other way, when "." is the first thing in the PATH, this would be > a security-hole introduced by the administrator. > Maybe i got something wrong ??? > > Darius Moos. > Sorry I don't buy this LAZY admin stuff!! We all get busy (in a hurry) and forget the little things! Having to type ./ to execute a currentdir prog makes you stop and think! IMHO lazy people have '.' in thier path! (No discredit to anyone, It's yur choice) But yes, If it's the last thing in your path it is safer! Still not worth it to most! > Benjamin Lewis wrote: > > > > You wrote: > > > Please explain to me why this is a security-risk. I've always had > > > "." in my PATH. > > > > Just imagine this scenario: > > > > You are "root" and I am Mr. Evil Dude, a user on your system. > > > > I compile a shell, and hide it somewhere in my directories, naming it something > > that seems harmless, like "irc." > > > > Next, I write a little program that, when executed as root, changes the > > set-uid bit on my hidden shell. I name my little evil program "mroe" and have > > it return "mroe: Command not found." after doing its job. > > > > Now, I create a really interesting looking directory in /tmp. Something like > > /tmp/WaReZ would probably get your attention. I write a diatribe against > > people who pirate software, and name it "README." I stick my little evil > > program in /tmp/WaReZ, and wait for you to find the directory. > > > > You type "cd /tmp/WaReZ" and then "ls". You see the README file and the mroe > > file, but "mroe" doesn't mean anything to you. You decide to look at the > > README file to see what your crazy users are up to. Maybe I stick a whole > > bunch of different files in the directory to hide the "mroe" program better, > > all of them innocent seeming. > > > > If I'm lucky, and you have fumbling fingers, my little program gets executed > > and I suddenly have a suid root shell, which I use to have my way with your > > computer and network. You don't notice that anything weird has happened, > > read my README file, decide that I'm a bit strange but obviously I'm an > > upright fellow since I'm against software piracy and think nothing more of > > it. > > > > The moral of the story is that root should only execute programs in > > directories known to be controlled, unless he REALLY means to do otherwise. > > Therefore, root should not have "." in its path. > > > > Hope this helps, > > > > -Ben > > > > -- > > Benjamin Lewis - blewis@vet.purdue.edu > > -- > > email: moos@degnet.baynet.de -- -Enjoy Gary ~~~~~~~~~~~~~~~~ Improve America's Knowledge... Share yours The Borg... Where minds meet (207) 929-3848
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?324139C9.748F>