[126] in linux-security and linux-alert archive
Closing suid root holes
daemon@ATHENA.MIT.EDU (Thomas Koenig)
Sun Mar 12 19:28:00 1995
To: linux-security@tarsier.cv.nrao.edu (linux-security)
Date: Sun, 12 Mar 1995 21:46:41 +0100 (MET)
From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
Reply-To: linux-security@tarsier.cv.nrao.edu
To partially solve the suid program problem, I've proposed, in the
past, an additional flag for the file system, similar to the
immutable and read-only flags already found on EXT2FS.
Let's call it the 'system flag'.
It should have the following properties:
- Files with this flag cannot be removed, renamed, (hard)linked, or
unlinked.
- A file with this flag can only be opened for writing if the
O_SYSTEM flag is supplied to open().
- An open() for a file without the system flag set fails if O_SYSTEM
is present for opening.
Let's suppose, then, that /etc/passwd has this flag set. A cracker who
has found yet another suid program bug in a utility like sendmail could
not open /etc/passwd for writing, because sendmail's author didn't put
O_SYSTEM into the open call.
This would close the door on a large portion of traditional UNIX
security holes.
The drawbacks would be some added complexity (you would need to teach
commands like useradd etc. these things, plus patch in an option for
your favourite editor), and you'd probably want a specialized 'cat'
utility to stick at the end of your pipes. Alternatively, you
could hack your favourite shell for this purpose.
To empahsize: This proposal will not help if an attacker already has
gained root permissions on your system. It will, however, keep him
from using suid utilities to manipulate the system database.
This would be trivial enough to do (and I've already done it, once;
the patches don't work any more, but are easy enough to redo).
Comments?
