[929] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: Fwd: [linux-security] security idea

daemon@ATHENA.MIT.EDU (Speed Racer)
Thu Jul 18 21:23:02 1996

Date: Wed, 17 Jul 1996 18:21:54 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: Cosimo Leipold <leipold+@andrew.cmu.edu>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Ylume_y00YUz0POG40@andrew.cmu.edu>

On Tue, 16 Jul 1996, Cosimo Leipold wrote:

>     True.... to some extent..but the bottom line remains that if the
> program is setuid 0 at any point and time, chances are some exploit will
> be created that works even if the period of time is only a fraction of a
> second. Even if it was not root at any time, a shell of setuid anything
> is one shell to many for me. Ideally something like /proc filesystems
> would be nice. 

"Chances are", if the program is coded right, there WON'T be any 
exploits.  I could do this:

/* disable input, catch all possible signals, etc. */
setuid(0);
sleep(60);
setuid(X);
/* re-enable the above */

Just because the program is running as root does NOT mean there is 
automatically some exploit in there somewhere.

>     A thought of my own...many systems have users which are known to be
> somewhat malicious or questionable. Therefore, one may wish to deny
> access to setuid programs to these users. Of course, this is completely
> pointless in respect to new users who you have little information about,

It's pointless anyway.  If I had any "malicious" users, I'd boot them 
soonest.

> This, like mentioned before, is useless for external attacks but for
> users on a system which seem to be potentially malicious, it might help.
> You could not do this on programs that every user needs (i.e. dont do it
> on passwd), but on some setuid programs that need uid 0, that general
> users could be granted access to, this is a nice way of eliminating some
> potential malintended users.

First, if the user is "malicious", why even bother letting him change his 
password?  Make him call you & have you change it by hand or something, 
or just outright deny him.  Or, better yet, get rid of the user.

Second, this whole idea implies that you're running some setuid program 
that DOES have some kind of security hole in it, and you just don't want 
the bad guys to find it.  From experience, I can tell you this - they'll 
find it anyway, and by denying them access to the program you're lulling 
yourself into a false sense of security.

It also doesn't protect against the boneheads who manage to stumble upon 
these holes accidentally, and not only break things but break them with 
great idiocy.  The worst catastrophes I've seen have resulted not from 
hackers, but from people who didn't know what they were doing at all.

shag

Judd Bourgeois   shagboy@bluesky.net
  Finger for PGP public key
There's a lost man with a bitter soul
For only a moment did life make him whole
And while he was, he thought he was invincible...
  Matthew Sweet, "Smog Moon"

home help back first fref pref prev next nref lref last post