H_Eidnes%vax.runit.unit.uninett@TOR.NTA.NO (H}vard Eidnes) (10/18/87)
As quoted from <7525@steinmetz.steinmetz.UUCP> by stpeters@dawn.steinmetz: +--------------- | There is an *enormous* hole that is totally independent of the script | contents. Show me a suid script, and I can be running as uid 0 in 10 | seconds. (BSD and derivatives at least, but I believe others as well.) +--------------- Would some kind soul please enlighten me as to the size of this hole? More specifically, what does the hole "consist of"? Ie. what would you do in your 10 seconds? What part of the kernel is responsible for this hole? I personally don't want to use this information to break in, but to be aware of the size of the hole, be able to try it out on the system(s) I administrate (to verify that the hole is there also), and (depending on the outcome of the previous step) stop having suid shell scripts lying around. Of course you have no way of verifying this. I personally think such security holes should be well-known so that system administrators can be aware of them, and take appropriate precautions (in this case: don't install suid shell scripts). I know a lot of people think otherwise, but please don't start this discussion. On a similar point: is there a similar security hole connected with setgid shell scripts (on BSD systems)? ------- E-Mail: <h_eidnes%vax.runit.unit.uninett@tor.nta.no> (or @nta-vax.arpa) H}vard Eidnes (or TeXish: H\aa vard Eidnes) Division of Computer Science, Norwegian Institute of Technology
bostic@ucbvax.BERKELEY.EDU (Keith Bostic) (10/19/87)
In article <9839@brl-adm.ARPA>, H_Eidnes%vax.runit.unit.uninett@TOR.NTA.NO (H}vard Eidnes) writes: > As quoted from <7525@steinmetz.steinmetz.UUCP> by stpeters@dawn.steinmetz: > +--------------- > | There is an *enormous* hole that is totally independent of the script > | contents. Show me a suid script, and I can be running as uid 0 in 10 > | seconds. (BSD and derivatives at least, but I believe others as well.) > +--------------- > > Would some kind soul please enlighten me as to the size of this hole? > More specifically, what does the hole "consist of"? Ie. what would you > do in your 10 seconds? What part of the kernel is responsible for this > hole? I believe there to be security problems associated with setuid shell scripts in every version of UNIX that provides them. If you want a secure system, do not allow users to have setuid shell scripts. As far as I know, all of these problems allow the breaker the uid of the shell script -- the above claim that any setuid shell script results in root privileges is new to me. Now, can this discussion go away? > I personally think such security holes should be well-known so that > system administrators can be aware of them, and take appropriate > precautions (in this case: don't install suid shell scripts). I know a > lot of people think otherwise, but please don't start this discussion. The rules should be that you document the existence of the hole, and you document any fixes that are applicable. Just *never* post how to use the hole. (And you try to disguise the fix.) --keith
daveb@geac.UUCP (10/23/87)
In article <21343@ucbvax.BERKELEY.EDU> bostic@ucbvax.BERKELEY.EDU (Keith Bostic) writes: >The rules should be that you document the existence of the hole, and you >document any fixes that are applicable. Just *never* post how to use the >hole. (And you try to disguise the fix.) There is also a security mailgroup which your system administrator can join, at hao!isis!sec-request. Well, probably can join... I'm still waiting ((:-)). --dave -- David Collier-Brown. {mnetor|yetti|utgpu}!geac!daveb Geac Computers International Inc., | Computer Science loses its 350 Steelcase Road,Markham, Ontario, | memory (if not its mind) CANADA, L3R 1B3 (416) 475-0525 x3279 | every 6 months.