On Wed, 4 Jun 2003 17:52:01 +0300
Shaul Karl <[EMAIL PROTECTED]> wrote:
> int main(void)
> {
> Do some initializations with root privileges;
> Become a daemon;
Do you drop root priviledges at this stage? otherwise your questions
about 'mesg n' are moot.
> 1. Modify the internal wall to have
> poepn("nut_wall", "w")
If your main program runs as root (or later run root suid programs),
than your biggest security flaw(in the shown code) is the usage of
popen:
1. You don't use absolute path for wall, so anyone can set the
path to make your program run his own version of wall (which
may be a copy of /bin/sh
2. Popen is a security hole in itself (even with absolute path)
because it runs the command line through shell (think about
someone messing with the IFS environment variable before
running your program...
Lesson one: if you need to pipe through a program:
1. DIY -- pipe, fork, close, close, dup, execve, etc. -- no shell
2. Make sure you sanitize everything for the program you
run (absolute path, arguments, environment, cwd, etc.)
> where nut_wall is a copy of the system wall executable, only
> that
> that copy is
> rws--x--- root nut
This part is somewhat better. Altough root suid programs should be
taken with extreme care, the advantages in this case are:
1. wall is simple and old enough that the probability of a dormant
security hole is low (though not zero -- it wasn't intended to
be used as an suid program).
2. The group of users who are authorized to "override" 'mesg n'
is maintained administratively and not through code.
IMHO a better and simpler solution is just:
1. chgrp all tty's to some group (IIRC, on linux you can even
use pam to do it during user's login).
2. chmod them to 660
3. Now a non-suid wall may work for the chosen group.
> 2. Wrap wall's
> poepn("nut_wall", "w")
> with gaining back and dropping the root privileges.
Do you mean using "saved" uid? Bit risky to code right...
> 3. Like 2 with the addition that whole wall activation will be a
> grandchild process.
What that got to do with anything?
> The upstream author is reluctant to modify the code. He claims
> that
> root privileges should be used only when necessary, in particular in
> network aware applications. He also want the source lines that will
> get executed with root privileges to be structurally separated from
> the other source lines.
1. Write his words in stone
2. Use that stone on the head of every developer you can encounter
3. Ask his boss to give him a raise
4. Mail me his resume
--
Oron Peled Voice/Fax: +972-4-8228492
[EMAIL PROTECTED] http://www.actcom.co.il/~oron
.. Complex problems have simple, easy to understand wrong answers.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
