[665] in linux-security and linux-alert archive
Re: [linux-security] sliplogin hole explanation
daemon@ATHENA.MIT.EDU (Yury Shevchuk)
Sun Apr 7 01:32:26 1996
Date: Sun, 7 Apr 96 09:13 +0400
To: Peter Orbaek <poe@theory.lcs.mit.edu>
Cc: linux-security@tarsier.cv.nrao.edu, util-linux@math.uio.no
In-Reply-To: <199604061839.AA03871@ostrich.lcs.mit.edu>;
from Peter Orbaek at Sat, 06 Apr 96 13:39:26 EST
From: sizif@botik.ru (Yury Shevchuk)
In message <199604061839.AA03871@ostrich.lcs.mit.edu> Peter Orbaek
writes:
>This last paragraph indicates to me that you are changing one program
>(login) to fix a problem with another (bash). Why not fix bash instead so
>it won't use ENV for login shells or somesuch?
Yes, it's possible -- but to make a robust system this way you'll have
to fix possibly exploitable environment dependencies in every
interpreter on the system that can be used for login scripts: bash,
ash, ksh, csh (oh yes), I'm afraid even perl may be vulnerable via
PERLLIB... Also, once an interpreter is called, I can't see an easy
way to find out whether an interpreter is called from safe or unsafe
environment, so it's hard to tell if we should get suspicious on ENV,
IFS, and other environment variables or not.
On the other hand, /bin/login is a good place to fix because it is at
the junction and has all necessary info handy -- and after all,
login's duty is to let you in but leave your weapons out the door. :-)
> Or tell people that they
>should avoid bash for login scripts and should use something like
>perl with tainting turned on.
, or be cautious to use a wrapper around shell scripts to clean the
evniroment before calling shell. Yes, it's a solution too. But I
think that a "tell people" solution is always worse than to fix one
program and forget about the problem.
I also think that the whole hole is due to the fact that people
intuitively expect to wake up in safe environment when called from
login, and this expectation fails. So it's login that is wrong, and
it's login that should be fixed.
Regards,
-- Yury
> - Peter [please Cc: me if you discuss this on the security list,
> I'm not yet subscribed to that one]
> <poe@theory.lcs.mit.edu>
