[net.micro.att] Sa package posted to net.sources and at security hole

richmon@astrovax.UUCP (Michael Richmond) (08/29/85)

The accounting package I advertised a while back has been posted to
net.sources. Have fun with it, and let me know if I screwed up again.

There is a security problem with the at command I posted earlier:
because the atrun program gets the uid and gid it should set things
to from the file in /usr/spool/at, a user can use 'chown' to make
a file he submitted be owned by anyone (i.e. root) and so executed
with that uid! Obviously, this is not desireable if there are any
untrustworthy types who would be using the system. One fix is to
make the directory /usr/spool/at unwriteable, so that people can't
change files once they are submitted, but this is annoying if
you discover that you already did a long job and want to stop the
one you just submitted. I am working on a version that will check
the integrity of each command file in /usr/spool/at via a private
little file with some stuff in it BEFORE running anything, but
it strikes me to be a hack. Still, I'll repost the whole thing
when I'm done. The real problem is System V's 'chown' command
(so those systems without it, ignore all this); can anyone think
of some cleaner way?

-- 
Michael Richmond			Princeton University, Astrophysics

{allegra,akgua,burl,cbosgd,decvax,ihnp4,noao,princeton,vax135}!astrovax!richmon

guy@sun.uucp (Guy Harris) (08/31/85)

> There is a security problem with the at command I posted earlier:
> because the atrun program gets the uid and gid it should set things
> to from the file in /usr/spool/at, a user can use 'chown' to make
> a file he submitted be owned by anyone (i.e. root) and so executed
> with that uid!... The real problem is System V's 'chown' command
> (so those systems without it, ignore all this); can anyone think
> of some cleaner way?

"chown" system call, not command, actually.  Yes, there is a cleaner
solution, which is used by the System V "at" command (yes, it has one, but
if the PC 7300 doesn't have it I have no idea why; things like "cron" and
"at" are useful even on single-user machines).  Have "at" turn the set-UID
bit on for all scripts, and have "atrun" require that bit to be on.
"chown"s not done by the super-user cause the set-UID bit to be turned off
(obviously).

	Guy Harris