Guide to writing secure setuid programs?

terry terry at wsccs.UUCP
Tue Mar 22 13:48:15 AEST 1988 

In article <386 at vsi.UUCP>, friedl at vsi.UUCP (Stephen J. Friedl) writes:
> setuid and setgid programs should be mode --x--x--x so people
> like me :-) can't look at them.  When digging for holes on a
> machine the first thing I do is run strings on the set[ug]id
> programs to look for the standard holes -- you can recognize them
> after a while.

	That's totally useless on machines where you have to load a software
emulator to run a program (say 286 programs on uPort 386).  In addition, a
smart programmer will use 'strip' on his programs.

	Besides why do that to look for holes?  There are plenty of other
nifty possibilities for holes:

	1) if /usr/spool/mail is writeable and on the same device as /etc:

		$ ln /etc/passwd /usr/spool/mail/fred
		$ echo "sneak::0:1:A hacker:/:/bin/sh" | mail fred
		$ su fred
		#

	2) if you were working on a VM system, you could debug SU.  The system
	   would mark the page you are working on as "in use";  change it so
	   you don't have to enter a password.  Go to another terminal.
	   Log in.  su.  Since the page is marked as in core, even if it has
	   been modified, it isn't reloaded from the disk, and your patched
	   version will be loaded and you will be signed on as root.

	3) On older system III systems, length-checking wasn't done on the
	   password field, and the compare buffer was pre-loaded and right
	   after the input buffer.  If you typed 88 of anything, you were in.

	While it's true that these will only work on badly ported or badly
administered systems, they seem (at least to me) to be more of a problem than
SIUD root programs.  2 and 3 have been fixed.  1 is the fault of incompetent
administration.

	It's true that you should be careful of SUID programs, but not any
more so than you should be careful of ANY permission changes or anything else
you do as root.  There are no more problems with security on UNIX than there
are on any other multi-user system; less, in a lot of cases.  If someone
really wanted your data, they'd break into your office if no other method was
available.


| Terry Lambert           UUCP: ...{ decvax, ihnp4 }                          |
| @ Century Software          : ...utah-cs!uplherc!sp7040!obie!wsccs!terry    |
| SLC, Utah                                                                   |
|                   These opinions are not my companies, but if you find them |
|                   useful, send a $20.00 donation to Brisbane Australia...   |
| 'There are monkey boys in the facility.  Do not be alarmed; you are secure' |

More information about the Comp.unix.wizards mailing list