Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Dec 2004 09:53:15 -0500
From:      Bill Vermillion <bv@wjv.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Strange command histories in hacked shell history
Message-ID:  <20041217145315.GB68582@wjv.com>
In-Reply-To: <20041217120138.7A89116A4D2@hub.freebsd.org>
References:  <20041217120138.7A89116A4D2@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Message: 1
> Date: Thu, 16 Dec 2004 20:31:05 +0800
> From: Ganbold <ganbold@micom.mng.net>
> Subject: Strange command histories in hacked shell server

Just a minor comment on one portion of your message.  

[All deleted except the pertinent part - wjv]

> Machine is configured in such way that everyone can create an account itself.
> Some user dir permissions:
> ...
> drwxr-xr-x  2 root       wheel         512 Mar 29  2004 new
> drwx------  3 tamiraad   unix          512 Apr  9  2004 tamiraad
> drwxr-xr-x  6 tsgan      tsgan        1024 Dec 16 17:51 tsgan
> drwx------  4 tugstugi   unix          512 Dec 13 20:34 tugstugi
> drwxr-xr-x  5 unix       unix          512 Dec 13 12:37 unix
> ...
> User should log on as new with password new to create an account.

> Accounting is enabled and kern.securelevel is set to 2. Only one
> account 'tsgan' is in wheel group and only tsgan gan become root
> using su.

I've asked others before and never got a real answer on the design
of 'su' which to my way of thinking has a security hold that shold
be fixed.

su checks the EUID of the user to see if they are in 'wheel' to
enable them to su to root.   It would seem to me it should
use the UID.

In your case if the 'tsgan' account does not have a secure
password, and some breaches the 'tsgan' account in any manner, such
as a SUID tsgan as I see it, then that user who cracked the 'tsgan'
account can su to root.

So in your case there is the possibility that someone else
su'ed to 'tsgan' and then su'ed to root.

Can anyone explain why  su   does not use the UID from the login
instead of the EUID ?  It strikes me as a security hole, but I'm no
security expert so explanations either way would be welcomed.

Bill


-- 
Bill Vermillion - bv @ wjv . com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041217145315.GB68582>