Bugtraq mailing list archives

Re: libresolv+ bug

From: nick () zeta org au (Nick Andrew)
Date: Thu, 22 Aug 1996 22:56:57 +1000


Forwarding a message from Thomas Ptacek:

The primary problem, as I see it, is not that SUID programs are being
written poorly, or that the sensitivity of SUID programs is not being
adequately dealt with by the operating system, or the compilers that
produce the executable code; it's that SUID programs, as present in most
modern Unix operating systems, are being written at all.


The problems are orthogonal. Poorly written programs can still be
exploited through buffer overflows, stack corruption and the like.
The only difference is - if the program has no additional privileges
then the program can do nothing which the intruder couldn't do anyway.

The exceptions are if the program is running as a different user (e.g.
root) or group, or is running on a machine (or in an environment) in
which the intruder does not have privilege to execute code.

However, as soon as _any_ additional privilege is granted, the
same old vulnerabilities come back to haunt us. Additional privilege
implies that an intruder could abuse that privilege. It hurts so much
because "additional privilege" usually means root access.

Beyond that, no Unix OS I know of allows admins or programmers to reliably
specify privileges in anything more than an "all or none" fashion - if
your program needs permissions to write to /etc/passwd, you need to let it
run /bin/sh and write to /root/.rhosts as well.


/etc/passwd could be given group write permission - but then, once a program
_can_ write /etc/passwd it can pretty-much subvert the rest of the system to
its own ends without any trouble.

I think it's been
adequately demonstrated to us that the POSIX saved credentials solution
insufficiently addresses the potential for subversion most SUID programs
have.


I think it protects the filesystem - or rather, it protects against
filesystem-based attacks. No such protection against code subversion.

Nick.
--
Kralizec Dialup Internet System         Data: +61-2-9837-1183, 9837-1868
Zeta Microcomputer Software             Fax: +61-2-9837-3753 Voice: 9837-1397
P.O. Box 177, Riverstone NSW 2765       http://www.kralizec.net.au/

Current thread:

Re: libresolv+ bug, (continued)
- - - Re: libresolv+ bug Elliot Lee (Aug 20)
  - Re: libresolv+ bug Nick Andrew (Aug 20)
    - Re: libresolv+ bug Jon Lewis (Aug 20)
  - SigSev -> Security Hole Tim Smithers (Aug 20)
    - Re: SigSev -> Security Hole Brian Mitchell (Aug 20)
- Re: libresolv+ bug Don Lewis (Aug 20)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
- Re: libresolv+ bug Zygo Blaxell (Aug 21)
  - Re: libresolv+ bug Julian Assange (Aug 21)
  - Re: libresolv+ bug Thomas Ptacek (Aug 21)
    - Re: libresolv+ bug Nick Andrew (Aug 22)
    - Re: libresolv+ bug John Macdonald (Aug 22)
    - Re: libresolv+ bug David Holland (Aug 22)
    - Re: libresolv+ bug Zygo Blaxell (Aug 22)
- Re: libresolv+ bug Mikolaj J. Habryn (Aug 23)