[1089] in linux-security and linux-alert archive
Re: [linux-security] vulnerability in splitvt
daemon@ATHENA.MIT.EDU (Rob Hagopian)
Tue Aug 27 09:03:50 1996
In-Reply-To: <199608260132.VAA02026@shmooze.net>
Date: Mon, 26 Aug 1996 20:19:14 -0400
To: linux-security@tarsier.cv.nrao.edu
From: Rob Hagopian <hagopiar@vuser.vu.union.edu>
>There is a vulnerability in the program splitvt that bundles
>with linux slackware that allows any account on the system
>that can access a c compiler, get root.
>From the man page:
splitvt can be made set-uid root. splitvt will reset its
user id to that of the person running it, just before it
exec()'s the shell under the window. The splitvt process
remains with root permissions, and will change ownership
of the pseudo terminals to that of the person running
splitvt, and then reset it to root when the window is
closed.
SPLITVT IS NOT GUARANTEED TO BE A SAFE SET-UID PROGRAM!
I have done all I know to keep splitvt a safely usable
set-uid program, but I do not know everything, and am not
responsible for any security weaknesses splitvt might
posess.
I have changed our splitvt to a simple non-suid executable. This provides
almost no change in features as far as I can tell. The manual doesn't say
much about why it needs to be suid root, except for the following:
splitvt will attempt to erase the current utmp entry, and
replace it with entries for the two windows. This allows
you to use programs such as 'talk' within the splitvt win-
dows. If you do not have write permission to the
/etc/utmp file, you will not be able to modify the utmp
entries.
As someone mentioned, we should be wary of all suid programs. This seems
more so with packages like slackware where all sorts of programs can be
installed without the users's immeadiate knowledge (I didn't know we had
splitvt until I just now checked!).
Does anyone have a list of suid programs that are installed in
Redhat/Slackware? I may compile a list of ones I can find if noone has done
so already.
[REW: Adding write permission to /etc/utmp for everybody is a solution
that Sun tried. It is not secure. Having programs like splitvt and
xterm not beeing able to chown/chmod your pty's will not show in
the form of "reduced functionality" but in the form of "extra security
holes". In short you won't notice until someone expliots the new holes.]
-Rob Hagopian