Date: Thu, 20 Jun 2002 08:00:14 -0700 (PDT) From: Ceri Davies <setantae@submonkey.net> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented Message-ID: <200206201500.g5KF0E498350@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/39573; it has been noted by GNATS.
From: Ceri Davies <setantae@submonkey.net>
To: Vasil Dimov <vd@etrade.bg>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
Date: Thu, 20 Jun 2002 15:57:06 +0100
On Thu, Jun 20, 2002 at 07:00:36AM -0700, Vasil Dimov wrote:
> all the scripts named install.sh in the 4.6-disc1.iso
> MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35
> use the same check to ensure the caller is uid 0:
>
> if [ "`id -u`" != "0" ]; then
> echo "Sorry, this must be done as root."
> exit 1
> fi
>
> which can be easily passed by nonuid0 users, probably
> causing "Permission denied" in the following commands.
>
> $ echo "echo 0" > ~/bin/id
> $ chmod 700 ~/bin/id
> $ export PATH=~/bin:$PATH
>
> $ ./bin/install.sh
> You are about to extract the base distribution into / - are you SURE
> you want to do this over your installed system (y/n)? n
If you really want to go to all that trouble to circumvent the id check
then you deserve all you get.
Note that there's nothing to prevent a normal user running the "meat" of
install.sh on their own anyway :
cat bin.?? | tar --unlink -xpzf - -C ${DESTDIR:-/}
but it won't get them far.
In short, the id check isn't intended as a security measure, it's just a
polite reminder that you're about to waste your time if you aren't already
root.
Ceri
--
you can't see when light's so strong
you can't see when light is gone
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206201500.g5KF0E498350>