tchrist@convex.COM (Tom Christiansen) (02/20/91)
From the keyboard of rbj@uunet.UU.NET (Root Boy Jim): :The mknod bug has been fixed.... Speaking of which I wonder when they'll get around to fixing or disabling suid scripts. Anybody have the very latest release of SunOS and able to verify whether the bug's still there? --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "All things are possible, but not all expedient." (in life, UNIX, and perl)
guy@auspex.auspex.com (Guy Harris) (02/21/91)
>Speaking of which I wonder when they'll get around to fixing or disabling >suid scripts. Anybody have the very latest release of SunOS and able to >verify whether the bug's still there? SunOS 4.1 still allows set-UID shell scripts, and doesn't close the *current* most-infamous security hole. Unfortunately, I don't think its existence is documented; were it documented, I wouldn't see any need to disable suid scripts, as I suspect most users can somehow summon enough self-discipline not to use set-UID shell scripts, even if their system allows them, if the security risk is greater than the benefits. S5R4 should close the *particular* hole mentioned above by using "/dev/fd/N" (although there may well be others lurking), so SunOS/S5R4 should as well.
rbj@uunet.UU.NET (Root Boy Jim) (02/21/91)
In article <1991Feb20.004811.28521@convex.com> tchrist@convex.COM (Tom Christiansen) writes: >From the keyboard of rbj@uunet.UU.NET (Root Boy Jim): >:The mknod bug has been fixed.... > >Speaking of which I wonder when they'll get around to fixing or disabling >suid scripts. Anybody have the very latest release of SunOS and able to >verify whether the bug's still there? Isn't perl supposed to figure this out and complain if it hasn't been disabled? Don't y'all have any Suns? :-) BTW, what are the chances of hitting the window on the suid scripts? By that I mean, suppose I have the perfect program to exploit it, which I've just compiled on a system where a suid script and the perfect conditions to exploit it exist. Isn't it true that (1) I have only a very small chance of winning, and (2) I only get one shot? Has anyone done any real measurements? Has anyone actually successfully exploited this bug (of course I mean under test conditions, on your own machine, where you have root access anyway), or do we all just parrot this mantra: suid scripts are insecure. -- [rbj@uunet 1] stty sane unknown mode: sane
thorinn@diku.dk (Lars Henrik Mathiesen) (02/22/91)
rbj@uunet.UU.NET (Root Boy Jim) writes: >BTW, what are the chances of hitting the window on the suid scripts? >By that I mean, suppose I have the perfect program to exploit it, >which I've just compiled on a system where a suid script and the >perfect conditions to exploit it exist. Isn't it true that >(1) I have only a very small chance of winning, and >(2) I only get one shot? (1) You can load the dice (widen the hole) arbitrarily, or at least up to a user resource limit. (2) If you miss the hole on one side, no one need ever know. I tried it once, with the simplest implementation I could make (loaded against hitting the window compared to the environment where an attack would probably happen). It didn't work on an unloaded machine, but a light load made it go through about once every seven or ten tries. Proper implementation would make it almost certain, I think. -- Lars Mathiesen, DIKU, U of Copenhagen, Denmark [uunet!]mcsun!diku!thorinn Institute of Datalogy -- we're scientists, not engineers. thorinn@diku.dk
guy@auspex.auspex.com (Guy Harris) (02/22/91)
>BTW, what are the chances of hitting the window on the suid scripts? Pretty good. >By that I mean, suppose I have the perfect program to exploit it, >which I've just compiled on a system where a suid script and the >perfect conditions to exploit it exist. Isn't it true that >(1) I have only a very small chance of winning, No. The program I saw got in the window every time I tried it. It's a question of when parent and child processes run; I forget whether it's *guaranteed* to succeed on most UNIX implementations, or just extremely *likely* to succeed. >Has anyone actually successfully exploited this bug (of course I mean >under test conditions, on your own machine, where you have root access anyway), Yes.