Re: su - and su - what is the real difference?
Goswin von Brederlow [EMAIL PROTECTED] wrote:
if (isatty (0) (cp = ttyname (0))) {
For this to succeed the stdin must be a terminal. But nothing stops
you from using a pseudo terminal (pty).
You're right, that works. Thanks.
My conclusion is that whether using su or su - from a non-privileged
user account doesn't really matter from a security POV, because you're
stuffed as soon as an attacker having access to this account makes you
run his own su wrapper (which is quite doable) to record the root
password.
--
Florent
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
Florent Rougon [EMAIL PROTECTED] wrote:
Is it possible for a malicious su wrapper to:
1. record root's password (of course, yes);
2. *and then* feed this password to the real su.
I suspect the real su empties the stdin buffer (or something like
that) to avoid such attacks, but would be glad to hear a confirmation
from people who know better.
OK, answering my own question. su has the following code:
if (isatty (0) (cp = ttyname (0))) {
[...]
} else {
if (!amroot) {
fprintf (stderr,
_(%s: must be run from a terminal\n), Prog);
exit (1);
}
tty = ???;
}
with the result that the attached program fails this way:
% ./autosu.py
su: must be run from a terminal
Child exit status: 1
%
#! /usr/bin/env python
# autosu.py --- Try to su to root, with the password given by the program, not
# the user.
# Copyright (c) 2006 Florent Rougon
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 dated June, 1991.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to the
# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301 USA.
import sys, os, time
class Bug(Exception):
pass
def main():
(rfd, wfd) = os.pipe()
child_pid = os.fork()
if child_pid == 0:
# We are in the child process. We MUST NOT raise any exception.
try:
os.dup2(rfd, 0)
os.execvp(su, [su, root, -c, id])
except:
os._exit(127)
# Should not happen unless there is a bug in Python
os._exit(126)
# We are in the father process.
time.sleep(2)
f = os.fdopen(wfd, wb)
f.write(v3ry s3kr3t p455w0rd\n)
f.flush()
f.close()
exit_info = os.waitpid(child_pid, 0)[1]
if os.WIFEXITED(exit_info):
exit_code = os.WEXITSTATUS(exit_info)
elif os.WIFSIGNALED(exit_info):
sys.exit(Child terminated by signal %u % os.WTERMSIG(exit_info))
else:
raise Bug()
print Child exit status: %u % exit_code
sys.exit(0)
if __name__ == __main__: main()
--
Florent
Re: su - and su - what is the real difference?
Florent Rougon [EMAIL PROTECTED] writes:
Florent Rougon [EMAIL PROTECTED] wrote:
Is it possible for a malicious su wrapper to:
1. record root's password (of course, yes);
2. *and then* feed this password to the real su.
I suspect the real su empties the stdin buffer (or something like
that) to avoid such attacks, but would be glad to hear a confirmation
from people who know better.
OK, answering my own question. su has the following code:
if (isatty (0) (cp = ttyname (0))) {
For this to succeed the stdin must be a terminal. But nothing stops
you from using a pseudo terminal (pty).
MfG
Goswin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
su - and su - what is the real difference?
Hi! Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
On 7/28/06, LeVA [EMAIL PROTECTED] wrote: Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. From the info pages for su: --- [ info su ] `-' `-l' `--login' Make the shell a login shell. This means the following. Unset all environment variables except `TERM', `HOME', and `SHELL' (which are set as described above), and `USER' and `LOGNAME' (which are set, even for the super-user, as described above), and set `PATH' to a compiled-in default value. Change to USER's home directory. Prepend `-' to the shell's name, intended to make it read its login startup file(s). What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run different programs than you thought you were running. That includes dynamically linking in (for example) a trojaned version of libc. It's precisely because your euid becomes 0 that this is a problem, since the malicious user can set up a root-privileged back door. -- Michael A. Marsh http://www.umiacs.umd.edu/~mmarsh http://mamarsh.blogspot.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
Good Question. I had never thought THAT deeply about it, and always just thought about it in terms of which scripts would set which environmental variables and paths. su keeping your current environment, but changing you effective UID, while su - would give you root's Path and environment. So, I would be interested in hearing what the additional security implications would be. David. -- David Ehle Computing Systems Manager CAPP CSRRI rm 077 LS Bld. IIT Main Campus Chicago IL 60616 [EMAIL PROTECTED] 312-567-3751 He who fights with monsters must take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you. On Fri, 28 Jul 2006, LeVA wrote: Hi! Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
2006. July 28. 16:04, Michael Marsh: On 7/28/06, LeVA [EMAIL PROTECTED] wrote: Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. From the info pages for su: --- [ info su ] `-' `-l' `--login' Make the shell a login shell. This means the following. Unset all environment variables except `TERM', `HOME', and `SHELL' (which are set as described above), and `USER' and `LOGNAME' (which are set, even for the super-user, as described above), and set `PATH' to a compiled-in default value. Change to USER's home directory. Prepend `-' to the shell's name, intended to make it read its login startup file(s). What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run different programs than you thought you were running. That includes dynamically linking in (for example) a trojaned version of libc. It's precisely because your euid becomes 0 that this is a problem, since the malicious user can set up a root-privileged back door. So running su with the '-' option is safer then running without it? Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
So running su with the '-' option is safer then running without it? absolutely, in terms of resetting the whole enviroment. -- Ciao, Javier linux user #393724 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
also sprach LeVA [EMAIL PROTECTED] [2006.07.28.1533 +0100]: So running su with the '-' option is safer then running without it? In that it bears less surprises, yes. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system in diving to the bottom of pleasure we bring up more gravel than pearls. -- honoré de balzac signature.asc Description: Digital signature (GPG/PGP)
Re: su - and su - what is the real difference?
2006. July 28. 16:04, Michael Marsh: On 7/28/06, LeVA [EMAIL PROTECTED] wrote: Here comes a lame question yes I know, but I need to hear the experiences and opinions about this. I've read thru a number of documents which described the differences between the real and effective user ids and I am now just wondering about this: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is there a security related problem with any of the invokings above? AFAIK the real and effective uids are always set to 0 after both commands. [snip] What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run different programs than you thought you were running. That includes dynamically linking in (for example) a trojaned version of libc. It's precisely because your euid becomes 0 that this is a problem, since the malicious user can set up a root-privileged back door. And can you tell me why the $USER and the $LOGNAME variables gets resetted by su, no matter if I've invoked it with or without the '-' option? Under OpenBSD (yes, yes I know this is not a obsd list :) if the target uid is 0, then su (without the '-') doesn't change the USER nor the LOGNAME variables. Is this a minor thing and I'm just facing two coders who were not thinking the same when creating two different type of su programs; or those are the same su programs and there is some deeper evil lying behind those variables? Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
Michael Marsh [EMAIL PROTECTED] wrote: What this means is that if you just run su, you'll be left with the environment of the user from whose account you entered root's. In particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset. If the user is malicious, he can get you to run different programs than you thought you were running. That includes dynamically linking in (for example) a trojaned version of libc. It's precisely because your euid becomes 0 that this is a problem, since the malicious user can set up a root-privileged back door. I'm wondering whether using su - is really safer. We are considering the case where the user account used to run the command is compromised (or the user owning this account is malicious, which is more or less the same). He can easily trick you into believing you're running /bin/su, whereas you're running some program of his (using a shell function, or for more robustness exec()ing a modified shell upon login where /bin/su actually calls a malicious program from the user account). But this trick is really successful only if the fake su program can eventually call the real one to get you root access (otherwise, you'll quickly notice there is something wrong). Is it possible for a malicious su wrapper to: 1. record root's password (of course, yes); 2. *and then* feed this password to the real su. I suspect the real su empties the stdin buffer (or something like that) to avoid such attacks, but would be glad to hear a confirmation from people who know better. Thanks. -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
LeVA [EMAIL PROTECTED] wrote: And can you tell me why the $USER and the $LOGNAME variables gets resetted by su, no matter if I've invoked it with or without the '-' option? Which suite are you testing this on? Here, on sarge, using su with the - sets USER to root but doesn't modify LOGNAME. -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
L From: LeVA [EMAIL PROTECTED] L Date: Fri, 28 Jul 2006 15:58:04 +0200 L What is the difference (I mean in the real world) between running `su` L (getting a non-login shell) and `su -` (getting a login shell). Is L there a security related problem with any of the invokings above? AFAIK L the real and effective uids are always set to 0 after both commands. There are several cases when su is preferable to su -. If there are some additional directories in your $PATH, which you might want to access as a normal user AND as a root, su would be better. Also, if there are several admins on your machine, each might have her own customized aliases, commands, etc. The common root environment of 'su -' would be less convenient for them that the keeping of the users' own customization. One of the most important implication for our setup here is the follwing. We have a rule that after each root login the admin makes an entry in the system ChangeLog file. If I do this from emacs, and hit C-x 4 a, the following entry appears when I use su: 2006-07-28 Boris Veytsman [EMAIL PROTECTED] * When I use 'su -', the entry is marked as done by root, which is less convenient in a multi-admin situation. Of course, if my user account is compromised, 'su -' IS more secure. BUT if it happens, basically all bets are lost anyway: the attacker could trick me to execute his own specially crafted version of su, start a keylogger, steal my private keys, etc. Therefore I think su makes slightly more sense with respect to auditing, logging and convenience than su -. -- Good luck -Boris The rule on staying alive as a forecaster is to give 'em a number or give 'em a date, but never give 'em both at once. -- Jane Bryant Quinn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
On Fri, 28 Jul 2006, LeVA wrote: What is the difference (I mean in the real world) between running `su` (getting a non-login shell) and `su -` (getting a login shell). Is The same that using /bin/su - gains you: a bit more of defence against someone doing nasty things to your environment. Note the use of a bit, as in a small ammount. If you are going to use - for this reason, do the full thing and run /bin/su - and not su -. You don't want to trust $PATH either, after all. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
On 7/28/06, Boris Veytsman [EMAIL PROTECTED] wrote: One of the most important implication for our setup here is the follwing. We have a rule that after each root login the admin makes an entry in the system ChangeLog file. If I do this from emacs, and hit C-x 4 a, the following entry appears when I use su: 2006-07-28 Boris Veytsman [EMAIL PROTECTED] * When I use 'su -', the entry is marked as done by root, which is less convenient in a multi-admin situation. I've seen multi-admin systems where each admin has a separate login with a distinct password not known to the other admins, but all with uid 0. I'm not sure how the logging appears in this case, so I don't know if it really solves the same problem. One problem it *does* solve is being able to disable the root access of someone who is no longer on the admin staff without having to change the root password. -- Michael A. Marsh http://www.umiacs.umd.edu/~mmarsh http://mamarsh.blogspot.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
Michael Marsh [EMAIL PROTECTED] wrote: know if it really solves the same problem. One problem it *does* solve is being able to disable the root access of someone who is no longer on the admin staff without having to change the root password. This is better solved by using sudo and not giving out the root password at all. However both methods are not really ensuring that an admin who once had root access cannot use one of the backdoors or missconfigurations he has introduced to gain back that trust level. Unless you really are paranoid in monitoring your sysadmins, there is no real way to lock them out. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
2006. July 28. 17:03, Florent Rougon: LeVA [EMAIL PROTECTED] wrote: And can you tell me why the $USER and the $LOGNAME variables gets resetted by su, no matter if I've invoked it with or without the '-' option? Which suite are you testing this on? Here, on sarge, using su with the - sets USER to root but doesn't modify LOGNAME. I'm using testing with ii login 4.0.17-2 system login tools I'd prefer to keep at least the LOGNAME variable the same as the logged in user after su-ing. Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
Oops! Florent Rougon [EMAIL PROTECTED] wrote: Here, on sarge, using su with the - sets USER to root but doesn't without modify LOGNAME. Sorry for the confusion. (of course, with su -, LOGNAME is set to 'root') -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
