[3018] in bugtraq
Re: bin owned system files
daemon@ATHENA.MIT.EDU (Paul Hilchey)
Thu Jul 25 22:01:47 1996
Date: Thu, 25 Jul 1996 16:43:10 UTC-0700
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Paul Hilchey <hilchey@ucs.ubc.ca>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <v03007610ae1d9f0f87cb@[128.10.9.66]>
> From: Gene Spafford <spaf@cs.purdue.edu>
> Send-Date: Thu, 25 Jul 1996 17:18:39 UTC-0500
>
> At 1:20 PM -0500 7/25/96, Robert E. Adams wrote in "bin owned system
> files":> Are there any known problems/bugs/etc.
> > with "root" executing system binaries
> > owned by "bin" as long as the "bin"
> > account is disabled in /etc/passwd.
> > (i.e. * for password and /bin/false
> > for the shell).
>
> The standard problem is that if any of these files are exported on a
> writable partition using NFS, then anyone able to control the importing
> machines (or spoof the NFS protocol sufficiently) can overwrite the files
> with arbitrary things. All it takes is becoming "bin" (or "daemon" or....
> any other user than root) on the remote machine, and one can then scribble
> all over the exported files as the owner. Obviously, this can lead to
> disaster when user root runs the files on the exporting machine.
>
> It isn't simply executables, either -- it is configuration files (e.g.,
> inetd.conf) and directories (e.g., /bin). If they are owned by a non-root
> entity and they are exported writable using standard NFS, then the system
> is easily compromised.
>
> Using secure NFS or Kerberos helps, but those have drawbacks, too. The
> best policy is to be very careful with NFS and ownership.
No, the best policy is to be very careful with NFS exports.
The default behaviour of denying root privileges to NFS clients is a quirky
feature that seldom buys you any real security. Although one can contrive
situations in which it helps, it isn't an effective approach to making NFS
secure. Spafford gives an example where /etc is exported read-write to
non-trusted clients. This is not realistic, since no one in their right
mind would do that! If you export /etc at all, it should be exported
read-only.
If you are concerned about root inadvertantly running a tampered program,
your root path should not include directories that are exported read-write.
