begin quoting Lan Barnes as of Thu, Feb 03, 2005 at 01:07:19PM -0800: > > Stewart Stremler wrote: > > > > >-Stewart "chmod a+x virus.sh ; mv virus.sh coolstuff.runme" Stremler > > And coolstuff.runme will, at best, run as user apache, so tell me again > how it owns the box.
No, it'll run as Aunt Tillie. If there are any *local exploits*, it can try for those, but that's not necessary. Which means it has access to her email address book and email archive, which gives it a target population to try to infect. Access to your data is sufficient to be a cause of concern. It has access to her startup-scripts, which means it can install its own shell that looks exactly like her current shell, except that certain events can be intercepted, such as calls to su or sudo. Should Aunt Tillie try to install some software, the system will ask her for the root password, or she'll invoke sudo or su to become root. And our little virus then gains root access, and is in. It really comes down to this: if I sent you a binary file and told you to run it, would you? Now, consider some of your MSWindows-using friends or relatives... if you sent them a binary file to them and told them to run it, how many of them would run it? And that's the crux of the users-are-the-problem argument. (In my case, I think I could do better than 50% success rate.) Now, an SELinux box with a policy that _only_ a login to root from the console is allowed to have root-type access would prevent that. But that isn't very convenient. It makes remote administration impossible, and local administration annoying enough that it will not be seen as a "feature". I mean, why do we have sudo? Because logging out and logging in is "too annoying". And "su -" is "too annoying". People will make a copy of sh setuid 0 just to avoid having to take the long way around. (Yes, I've seen this happen. No, this wasn't a newbie or someone who was "technologically impaired".) -Stewart "Just because you CAN fix it doesn't mean it will be" Stremler -- KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
