[1533] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: Re: Yet Another DIP Exploit?
daemon@ATHENA.MIT.EDU (Uri Blumenthal)
Tue May 6 05:45:37 1997
From: Uri Blumenthal <uri@watson.ibm.com>
To: linux-security@redhat.com
Date: Mon, 5 May 1997 22:58:30 -0400 (EDT)
In-Reply-To: <Pine.LNX.3.95.970504120105.8694D-100000@sarah.djmix.com> from "Mouring Cat" at May 4, 97 12:06:02 pm
Reply-To: uri@watson.ibm.com
Resent-From: linux-security@redhat.com
Mouring Cat says:
> > This program *must* run set-uid root. The measures *were* taken to
> > prevent several exploits.
>
> I guess they were not enough.
Let's not go down this way. If you wish, please pick up the
maintenance of DIP and do a beter job fixing bugs/adding
features. [Too many critics, too few helpers - typical.]
> RedHat does not turn the setuid bit on dip for the fact that not everyone
> is running dip as a dialin. I only know of *ONE* ISP that is using
> dip or some such software to do PPP logins.
Oh? So you are an expert on ISPs and DIP usage? How nice...
> Thus, if 99.9% of the population is using dip for dialout..Why setuid
> it? The .1% are fokes that know what they are doing and they can figure
> out to setuid it.
99.9%? Come on.
> I'm sorry I read this mail. =( I assume that you and others within the
> Linux world are a bit more forgiving and explain why things are setuid.
> Remember this ain't microsoft. Lot of us don't follow blindly.
If people ask "why that is such and such?" - it can be answered, and
more often than not - politely. If people say "Hey, cretino, there's
silly bug and you should do this" - don't expect a nice response.
Not from me.
> Besides adding route why is dip setuid?
To set line discipline and configure the net device. And to access
tty's that are not "rw-rw-rw-".
[mod: And I consider this last thing "a bug". Permissions are to be
respected. If you write setuid programs that simply allow people to
override permission checks, security conscious sites will get pissed
at you pretty quickly.
Uri, we're not trying to force something down your throat for nothing.
Some people find it a bad idea that random people can muck with the
routing table. Some people find it a bad idea to allow non-root users
to access ttys that they don't have access to. A program that is
set-uid is supposed to take part of the permissions check out of the
kernel. Changing routes is something that the kernel considers
priviliged. However in some cases it might be quite acceptable for a
normal user to change a simple route. In that case you can write a
setuid program that performs the checks to make sure that people
cannot change "important" routes. This is a responsibility, which
shouldn't be taken lightly. The same goes for ttys. If you want to
allow people to access ttys that they normally didn't have access to,
you should make sure that "the proper authorities" know about it and
consent with it. Having a config file (somewhere where only root is
supposed to be messing around) that says anybody can mess around with
/dev/ttyS2 is fine. Simply allowing everybody to do this is not
acceptable for some sites. -- REW]
--
Regards,
Uri uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>