[28878] in bugtraq
Re: Solaris Signals
daemon@ATHENA.MIT.EDU (Frank v Waveren)
Thu Feb 13 16:39:38 2003
Date: Thu, 13 Feb 2003 12:44:36 +0100
From: Frank v Waveren <fvw@var.cx>
To: Jon Masters <jonathan@jonmasters.org>
Message-ID: <20030213114436.GD16530@var.cx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.10.10302120312500.21227-200000@router>
On Wed, Feb 12, 2003 at 03:21:49AM +0000, Jon Masters wrote:
> We all know that old chestnut about tracing setuid programs or scripts,
> but what about non-setuid scripts which have been installed for users and
> given execute only permission. For example, a lot of sites provide scripts
> for users to run which perform some admin related function and thus have
> usernames or passwords within them - potentially free to users.
Making programs execute-only is no security for such things unless you
add a lot of weird-and-definately-not-wonderful special cases all over
the OS. Even if you stop programs from dumping core if
access(executable, R_OK), you can still do LD_PRELOAD/LD_LIBRARY tricks
and get access to the process' memory (or just log all library or system
calls which gets you all the interesting stuff too, usually), and with
a little creativity there's plenty of other ways to get around lack of
read rights.
--
Frank v Waveren Fingerprint: 21A7 C7F3
fvw@[var.cx|stack.nl|chello.nl] ICQ#10074100 1FF3 47FF 545C CB53
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx 7BD9 09C0 3AC1 6DF2
