[929] in linux-security and linux-alert archive
Re: Fwd: [linux-security] security idea
daemon@ATHENA.MIT.EDU (Speed Racer)
Thu Jul 18 21:23:02 1996
Date: Wed, 17 Jul 1996 18:21:54 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: Cosimo Leipold <leipold+@andrew.cmu.edu>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Ylume_y00YUz0POG40@andrew.cmu.edu>
On Tue, 16 Jul 1996, Cosimo Leipold wrote:
> True.... to some extent..but the bottom line remains that if the
> program is setuid 0 at any point and time, chances are some exploit will
> be created that works even if the period of time is only a fraction of a
> second. Even if it was not root at any time, a shell of setuid anything
> is one shell to many for me. Ideally something like /proc filesystems
> would be nice.
"Chances are", if the program is coded right, there WON'T be any
exploits. I could do this:
/* disable input, catch all possible signals, etc. */
setuid(0);
sleep(60);
setuid(X);
/* re-enable the above */
Just because the program is running as root does NOT mean there is
automatically some exploit in there somewhere.
> A thought of my own...many systems have users which are known to be
> somewhat malicious or questionable. Therefore, one may wish to deny
> access to setuid programs to these users. Of course, this is completely
> pointless in respect to new users who you have little information about,
It's pointless anyway. If I had any "malicious" users, I'd boot them
soonest.
> This, like mentioned before, is useless for external attacks but for
> users on a system which seem to be potentially malicious, it might help.
> You could not do this on programs that every user needs (i.e. dont do it
> on passwd), but on some setuid programs that need uid 0, that general
> users could be granted access to, this is a nice way of eliminating some
> potential malintended users.
First, if the user is "malicious", why even bother letting him change his
password? Make him call you & have you change it by hand or something,
or just outright deny him. Or, better yet, get rid of the user.
Second, this whole idea implies that you're running some setuid program
that DOES have some kind of security hole in it, and you just don't want
the bad guys to find it. From experience, I can tell you this - they'll
find it anyway, and by denying them access to the program you're lulling
yourself into a false sense of security.
It also doesn't protect against the boneheads who manage to stumble upon
these holes accidentally, and not only break things but break them with
great idiocy. The worst catastrophes I've seen have resulted not from
hackers, but from people who didn't know what they were doing at all.
shag
Judd Bourgeois shagboy@bluesky.net
Finger for PGP public key
There's a lost man with a bitter soul
For only a moment did life make him whole
And while he was, he thought he was invincible...
Matthew Sweet, "Smog Moon"