httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 00:44:44 GMT
  > ... all of which can be *very* easily arranged for by an attacker on a
  > system with "giveaway" chowns --- out-of-the box SGIs, for one.  (I
  > just tried it; gave away a file and its enclosing directory to root.
  > Other likely "giftees" include 'bin', 'daemon', and 'uucp').

  Doesn't the root owned directory need to be writable by you in
  order to establish the link? Maybe I'm not familiar with your attack.

No.  You create the directory, put the file in it, and then chown both
to the target user, leaving the file modes intact.  You don't have
write permission on the directory after you've given it away, but at
that point, you don't have to; the file you need is already there.

  Leaving that kind of hole open is not a security flaw in Apache
  or any wrapper. It an administration error that is deadly when
  you allow setuid files.

If by "that kind of security hole", you mean giveaway chowns, then it's
not a security hole at all.  It's a feature that has no severe security
implications (because the giveaway chown turns off the suid bit), *unless*
something else (like a wrapper) comes along and treats file ownership in
that environment for more than it's worth.  (The worst thing it ordinarily
does is allow users to evade disk quotas, so it isn't a useful option on
systems that have quotas, but everyone knows that going in).

The *combination* of giveaway chowns and something like the current
sucgi-wrapper *is* pretty dangerous --- but my personal expectation is
that if we were to release such code, and CERT were to get a report of
nasty exploits, they'd come after us, and not the OS vendor.

rst


Mime
View raw message