[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: Programming ...
- From: Bartosz Lis <bartek krokus com pl>
- To: linux-security redhat com
- Subject: [linux-security] Re: Programming ...
- Date: Fri, 3 Dec 1999 16:57:56 +0100 (EET)
Hi,
While looking for holes in the utility script, that Glynn Clements sent, I
have realized that using "~/" may be dangerous. The original script:
On Wed, 1 Dec 1999, Glynn Clements wrote:
[---cut---]
> cp ~/static-rm ~/rm # installing the "rm" binary needs to be
> mv -f ~/rm /tmp/rm # safe against symlink games
> cd /tmp
> chroot /tmp /rm -rf .
[---cut---]
is very unlikely to be compromised. But if you'd like to write your own
scripts using the above idea, you'd better change "~/" to absolute paths
(i.e. /root/). Rogier Wolff <R E Wolff BitWizard nl>, with whom I have
discussed security issues of that script, stressed that the script was
intended to be run in multiuser mode. It will work well until the HOME
variable evaluates to /root, thus it will fail in single user mode.
Detailed explanation
"~/" is replaced by bash with the value of "$HOME". This variable for root
usually evaluates to "/root", but in single user mode it evaluates to "/".
If trusted or static binaries are put for example in /root/bin and the
binaries are referenced in scripts as ~/bin/something , bash will look
for binaries in /bin (that is /bin/something) when in single user mode.
Binaries from /bin are dynamically linked and if run chrooted to
/tmp , library loader will look for /tmp/etc/ld.so.conf and
/tmp/lib/lib*.so . If you are attacked by an intruder, who knows what
you have in your scripts, he may put his Troyan horses to those locations.
"~root/" or "~user/" seem to be safier. Bash takes user's home directory
from /etc/passwd. When run in a script executed by bash, which was
chrooted to /tmp , the /tmp/etc/passwd is consulted.
Conclusions
1. Don't use "~/" in security related scripts or at least set the HOME
variable.
2. Reconsider using "~user/" syntax in scripts that are run chrooted.
Greetings,
--
Bartosz Lis
Krokus sp. z o.o.
snail-mail: Sterlinga 26, 90-213 Lodz, Poland
e-mail: B Lis krokus com pl
phone: [POLAND](42) 63 00110
www: http://www.krokus.com.pl
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]