JRowe@exua.exeter.ac.uk (John Rowe) (05/14/91)
I'm sure (I hope!) a lot of people will post to this but IT IS VITAL so please read: In article <7513@awdprime.UUCP> dcm@codesmith.austin.ibm.com (Craig Miller) writes: In article <9357.282caa94@jetson.uh.edu> elee4fg@jetson.uh.edu writes: > >1) csh does not support suid. If your csh suid scripts file has this > #!/bin/csh > It won't work. > Your need to do this in ksh Craig>> I believe this is not an AIXism but is a BSDism. The BSD4.3 Craig>> csh source I have access to does not support suid either. This Craig>> is documented, I believe. suid shell scripts are a well known security NIGHTMARE. It is VERY VERY simple to use one of these to gain TOTAL root access. I TRIED WITH KSH UNDER AIX 3.1 (no revs) AND IT WORKED. I, as an ordinary user, became root to do anything I liked. So please, warn every one you know never to allow suid shell scripts. This problem has been common knowledge for a long time but vendors are only now starting to worry about it. Of course it *may* have been fixed in later releases :-) You can look for suid programs with: find / -fstype f -perm -2000 -o -perm -4000 -print To find out if they are compiled programs or shell scripts try: find / -fstype f -perm -2000 -o -perm -4000 -exec file {} \; put the output into a file and look for 'commands' 'shell' 'text' etc. Sorry to come on so strong - what worries me is that Craig is from IBM at Austin... John Rowe Exeter University Computational Physics Group Exeter UK
dcm@plato.austin.ibm.com (05/22/91)
In article <JROWE.91May14173008@exua.exua.exeter.ac.uk> JRowe@exua.exeter.ac.uk (John Rowe) writes: > > In article <9357.282caa94@jetson.uh.edu> elee4fg@jetson.uh.edu writes: > > > >1) csh does not support suid. If your csh suid scripts file has this > > #!/bin/csh > > It won't work. > > Your need to do this in ksh > >Craig>> I believe this is not an AIXism but is a BSDism. The BSD4.3 >Craig>> csh source I have access to does not support suid either. This >Craig>> is documented, I believe. > >suid shell scripts are a well known security NIGHTMARE. It is VERY VERY >simple to use one of these to gain TOTAL root access. How is this relevant to the csh discussion? All I was saying was "by default, csh disallows suid scripts". I think you can override that with '-b' (or something). Who cares about csh anyway? :-) Oh, BTW, Yes, I know that "suid shell scripts are a well known security NIGHTMARE". That's been a fact ever since BSD introduced an exec system call that could handle shell scripts. That was a long long time ago. > I TRIED WITH KSH UNDER AIX 3.1 (no revs) AND IT WORKED. Yep. Aix3.1's exec() supports scripts. Suid will probably work for any script (besides csh I guess). Heck, you can even write a suid awk script. > I, as an ordinary user, became root to do anything I liked. So >please, warn every one you know never to allow suid shell scripts. This >problem has been common knowledge for a long time but vendors are only >now starting to worry about it. (1) if you can become root by using a shipped script, then report it as a defect. (2) Yes, I admit shipped suid shell scripts are probably security holes. (3) However, I don't agree that the concept of allowing suid shell scripts is a bug. If your system administrator messes up and writes a buggy suid script, it's his fault. If we mess up and ship buggy scripts, it's our fault (and we should be shot). I've always argued that we should ship with suid scripts enabled, BUT document the possible security considerations extensibly. And be sure NOT to ship security holes ourselves! Why ruin something useful for everyone by just "turning it off"? Sigh. >Of course it *may* have been fixed in later releases :-) I hope not (IMHO). >Sorry to come on so strong - what worries me is that Craig is from IBM >at Austin... I don't see how this has any relevance either. Yep, I'm currently at IBM in Austin. I even work on The Change Team. Our charter is to fix customer-reported defects. IMHO, you haven't pointed any defects out. (ob disclaimer: I do not represent IBM. Everything I say is strictly my own opinion.) >John Rowe >Exeter University Computational Physics Group >Exeter >UK
jfh@rpp386.cactus.org (John F Haugh II) (05/23/91)
In article <7835@awdprime.UUCP> dcm@plato.austin.ibm.com writes: > (1) if you can become root by using a shipped script, then report > it as a defect. (2) Yes, I admit shipped suid shell scripts are > probably security holes. (3) However, I don't agree that the concept of > allowing suid shell scripts is a bug. > > If your system administrator messes up and writes a buggy suid script, > it's his fault. If we mess up and ship buggy scripts, it's our fault > (and we should be shot). The problem is that set-UID shell scripts cannot be written in a secure manner on AIX v3. I was the person that opened the original PTM to have them removed, and the only argument that was ever given to keep them in is that certain third party companies require set-UID shell scripts for their software. That means that your (1) above is occuring - someone is shipping set-UID scripts with their product. I assure you that (2) is certainly correct. (3) is correct - the =concept= is OK, it's the implementations that are evil. So far no one has come up with a good implementation of set-UID shell scripts. I have described to Kathy B. and other architects what is needed to secure the shell scripts, and have reviewed half a dozen or more equally buggy suggestions. The bottom line is that in order to have set-UID shell scripts, some drastic change in implementation is required. DISCLAIMER: I don't speak for IBM, LCC, or any other third party. I speak for myself only. -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "If liberals interpreted the 2nd Amendment the same way they interpret the rest of the Constitution, gun ownership would be mandatory."