Using UUCP under a BBS system???
Karl Denninger
karl at ddsw1.MCS.COM
Wed Feb 21 07:25:54 AEST 1990
In article <.OV1S=Axds13 at ficc.uu.net> morrison at ficc.uu.net (Brad Morrison) writes:
>In article <1990Feb13.214855.4265 at ddsw1.MCS.COM> karl at mcs.MCS.COM (Karl Denninger) writes:
>
>>The second is the killer. Let's say you don't want people getting to the
>>shell, for whatever reason. Here's a partial list of what you can't let
>>them execute (even internally as a pager or mailer):
>> vi and friends (ex, view, etc)
>> more
>> mail
>> pg
>> most other editors
>> anything with a shell escape, or anything which can chain to an editor
>
>>Why? Well, you'd think that "SHELL=/bin/true;export SHELL" would protect
>>you from the vi ":!". It won't. Try ":set shell ...." sometime inside vi,
>>then a ":!...." and you'll be suitably shocked.
>
>>The same problem exists with "more"; it can chain to "vi", and from there....
>
>>There is no way to protect from this without source code to those utilities.
>>Even if you "rsh" people they can screw you using this method. Every scheme
>>we've tried (other than removing the shell from the system!) I've been able
>>to penetrate within a few minutes; "rsh" environments included. Only a
>>"chroot" environment provides reasonable safety.
>
>What about having a wrapper around the real shells that only execs the
>real one if the user id is below some threshold? Then give your restricted
>users IDs above the threshold.
But what if the user finds out the real shell's name?
SUID'ing the "wrapper" program won't work either, since it has to set the
user id's to the real ones >before< it execs the real shell, and thus you
again can get caught out.
Security by obscurity is not security; it's hiding things. And hidden
things aren't locked, they're simply hidden. Of course, since they are only
hidden, they can also be found.
Once a user finds out what you called /bin/sh (if you rename it) they can
have a jolly good time using the same method as above.
--
Karl Denninger (karl at ddsw1.MCS.COM, <well-connected>!ddsw1!karl)
Public Access Data Line: [+1 708 566-8911], Voice: [+1 708 566-8910]
Macro Computer Solutions, Inc. "Quality Solutions at a Fair Price"
More information about the Comp.unix.i386
mailing list