Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: NMO not setuid-root (Unix-only)

Re: NMO not setuid-root (Unix-only)

From: Jonathan Leffler <jleffler_at_earthlink.net>
Date: Wed, 01 Dec 2004 06:14:06 GMT
Message-ID: <Oidrd.4652$u81.709@newsread3.news.pas.earthlink.net> 





Noons wrote:


> yong321_at_yahoo.com (Yong Huang) wrote:


>>>>I think it's chmod 6751. If it were 4777, the executable could be
>>>>overwritten by anyone, and removed if the directory it is in allows
>>>>anyone to change.




> 

> Used to be 4777 to set the SUID bit.




The 4 was necessary; the 777 was not, and was never sensible.



> Or was it 4755?  Can't remember, haven't

> read the root.sh script in ages. 

> I hate these binary security bits anyway, always use

> the "rwx[+-]ugo" syntax: much clearer.

> [...]




chmod u=srx,g=sx,o=x ...



It's simpler to use 6511 from where I sit (but twenty years of 
thinking of permissions in octal has probably distorted the neuronic 
pathways a bit :-).


>>Jonathan Leffler commented: 
>>>But you're right - a SUID anything program with public write 
>>>permissions is a security disaster; 




> 

> and in the interest of clarification the reason why 

> should also be explained?

> Not everyone here might be aware how easy it is to write

> a script to impersonate another program.




OK.  If anyone can modify a SUID (or SGID) executable, anybody who 
wants to can copy any convenient program (let's think - /bin/ksh?) 
over the insecure program.  And then run it.  And the shell now runs 
with the privileges of the user to whom the program was SUID (and/or 
the group to which the program was SGID).  Usually, this user or group 
can do things which an ordinary user should not be able to do - such 
as read any (unencrypted) data in the database.  If it is SUID root, 
the intruder has got root privileges on your machine.  A careful 
intruder would target the insecure executable carefully to cover their 
tracks:



cp -p /insecure/program /tmp


cp /bin/ksh /insecure/program


/insecure/program


...this runs a Korn shell and in that shell, intruder executes...
cp -p /tmp/program /insecure/program


...and probably ensures they can get back into the system on demand...
cp /bin/ksh /...


chmod 4555 /...



This largely covers their tracks - there are other things a half-way 
decent root-kit would do, and it probably wouldn't go hacking the root 
directory (and if it did, it would ensure the modification times 
didn't change, etc).  An alternative to /... is an odd-ball name like 
/bin/procchk - which doesn't usually exist as an ordinary program but 
looks plausibly Unixy and might just need SUID root privileges in the 
ordinary course of events.


-- 
Jonathan Leffler                   #include <disclaimer.h>
Email: jleffler_at_earthlink.net, jleffler_at_us.ibm.com
Guardian of DBD::Informix v2003.04 -- http://dbi.perl.org/


Received on Wed Dec 01 2004 - 00:14:06 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US