From owner-freebsd-questions Thu Sep 19 04:33:57 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA04570 for questions-outgoing; Thu, 19 Sep 1996 04:33:57 -0700 (PDT) Received: from gatekeeper.barcode.co.il (gatekeeper.barcode.co.il [192.116.93.17]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA04533 for ; Thu, 19 Sep 1996 04:33:51 -0700 (PDT) Received: (from nadav@localhost) by gatekeeper.barcode.co.il (8.7.5/8.6.12) id NAA00764; Thu, 19 Sep 1996 13:32:05 +0200 (IST) Date: Thu, 19 Sep 1996 13:32:05 +0200 (IST) From: Nadav Eiron To: Darius Moos cc: Benjamin Lewis , FreeBSD-questions Subject: Re: Quick Question In-Reply-To: <32412602.6D2@degnet.baynet.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 19 Sep 1996, Darius Moos wrote: > Yes you are right ... BUT this security-hole only occures if you are a > lazy administrator (sorry, i do NOT want to say you are a lazy). > I would never ever execute files as root that belong to other users. > Doing so is really a security-hole. The administrator has always a > simple user-account to play around in the system. It would be my > fault when i'm executing unknown programms as root. When i could not > resist, i'd do it as the unprivileged user. > The other point is that IMHO adding "." to the end of the PATH-variable > is harmless. Assume i had a user who wrote a little programm that is > able to crash my system and names it "mv"; he saves it to his home- > directory and i as root are staying in his home-directory. Even when > i type "mv ..." the right thing would happen: "/bin/mv ..." would > be executed and NOT "/mv ...". > The other way, when "." is the first thing in the PATH, this would be > a security-hole introduced by the administrator. > Maybe i got something wrong ??? This has been discussed over and over... Assume that you mistype (well, I do alot, I guess everybody does that once in a while). Let us further assume you tend to write ls-l instead of ls -l sometime (I tend to do that). Now, if the devious user of yours will have a program called ls-l that does something harmful, and then does ls -l, you wouldn't even notice that something went wrong, and his program will be executed because there is nothing called ls-l in the "standard" path that comes before "." in PATH. Nadav > > Darius Moos. > > > Benjamin Lewis wrote: > > > > You wrote: > > > Please explain to me why this is a security-risk. I've always had > > > "." in my PATH. > > > > Just imagine this scenario: > > > > You are "root" and I am Mr. Evil Dude, a user on your system. > > > > I compile a shell, and hide it somewhere in my directories, naming it something > > that seems harmless, like "irc." > > > > Next, I write a little program that, when executed as root, changes the > > set-uid bit on my hidden shell. I name my little evil program "mroe" and have > > it return "mroe: Command not found." after doing its job. > > > > Now, I create a really interesting looking directory in /tmp. Something like > > /tmp/WaReZ would probably get your attention. I write a diatribe against > > people who pirate software, and name it "README." I stick my little evil > > program in /tmp/WaReZ, and wait for you to find the directory. > > > > You type "cd /tmp/WaReZ" and then "ls". You see the README file and the mroe > > file, but "mroe" doesn't mean anything to you. You decide to look at the > > README file to see what your crazy users are up to. Maybe I stick a whole > > bunch of different files in the directory to hide the "mroe" program better, > > all of them innocent seeming. > > > > If I'm lucky, and you have fumbling fingers, my little program gets executed > > and I suddenly have a suid root shell, which I use to have my way with your > > computer and network. You don't notice that anything weird has happened, > > read my README file, decide that I'm a bit strange but obviously I'm an > > upright fellow since I'm against software piracy and think nothing more of > > it. > > > > The moral of the story is that root should only execute programs in > > directories known to be controlled, unless he REALLY means to do otherwise. > > Therefore, root should not have "." in its path. > > > > Hope this helps, > > > > -Ben > > > > -- > > Benjamin Lewis - blewis@vet.purdue.edu > > -- > > > email: moos@degnet.baynet.de >