[36809] in bugtraq
Re: cdrecord local root exploit
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Fri Oct 1 17:33:50 2004
Message-Id: <m1CDRAs-0005GXC@proven.weird.com>
Date: Fri, 1 Oct 2004 13:26:30 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "Greg A. Woods" <woods@planix.com>
To: "Jason T. Miller" <jasomill@shaffstall.com>
Cc: "D.r Andrew C. Aitchison" <A.C.Aitchison@dpmms.cam.ac.uk>,
"BUGTRAQ: Full Disclosure Security Mailing List" <bugtraq@securityfocus.com>
In-Reply-To: <Pine.LNX.4.58.0409280016150.21359@guildenstern.oneview.local>
Reply-To: "Greg A. Woods" <woods@planix.com>
[ On Tuesday, September 28, 2004 at 01:22:17 (-0500), Jason T. Miller wrote: ]
> Subject: Re: cdrecord local root exploit
>
> The notion that a program must be root if an ordinary user doesn't have
> the necessary permissions by default is a dangerous one.
Very well said.
I really liked your way of presenting the idea of a setuid proxy too.
Not very many texts on secure programming techniques are so lucid.
Even those of us who've been trying to practice secure programming
techniques (esp. on unix-like systems, i.e. those using setuid), have
had tremendous difficulty implementing the principle of least privilege.
I can usually get as far as designing my code in the manner of your
outline for something like cdrecord where a program needs certain
privileges to open a device file and where only certain users should be
allowed to run that program.
However with the limitations of file and process ACL technology present
in most unix-like systems following this principle gets a lot more
difficult if, for example, you want to have a second limited group of
users be able to write to a configuration file for the program, but not
make it possible for the program itself to write to any of its
configuration files (e.g. if it were to suffer a buffer overflow and
give its privileges to an attacker). As far as I've ever been able to
figure out it's almost impossible to do this on unix-like systems if you
also need to protect the content of the configuration file from prying
eyes (i.e. not be "other"-readable). It might be possible to do
relatively safely with a pair of communicating front-end/back-end setuid
proxy programs, providied they can have hard-coded group-ID numbers (and
provided the host system implements multi-group membership for
processes). Such complexity though is an enemy of security.
--
Greg A. Woods
Planix, Inc.
<woods@planix.com> +1 416 489-5852 x122 http://www.planix.com/
