Article 17106 of comp.unix.questions: Newsgroups: comp.unix.questions Path: doug.cae.wisc.edu!umn.edu!spool.mu.edu!nigel.msen.com!yale.edu!jvnc.net!princeton!fish.Princeton.EDU!lhjensen From: lhjensen@fish.Princeton.EDU (Leif Jensen) Subject: Re: Can you write/talk to a terminal which set "mesg -n"? Message-ID: <1992Oct27.071007.350@Princeton.EDU> Summary: Set-uid shell scripts are bad. Originator: news@nimaster Sender: news@Princeton.EDU (USENET News System) Nntp-Posting-Host: fish.princeton.edu Organization: Princeton University References: <1992Oct17.232019.16790@sactoh0.sac.ca.us> <1992Oct18.043009.3734@Princeton.EDU> <1992Oct26.221825.17121@sactoh0.sac.ca.us> Distribution: na Date: Tue, 27 Oct 1992 07:10:07 GMT Lines: 71 About set-uid shell scripts, In article <1992Oct26.221825.17121@sactoh0.sac.ca.us> ccpoabt!dan@sactoh0.SAC.CA.US writes: >Wow... I didn't really expect anyone to take me seriously on this point. >I was merely pointing out another situation in which a user without a >'root' id could send a message to someone who has turned their messages >off. I wasn't really suggesting that anyone actually do this. Sorry if I was a little harsh, but I had just had an encounter with a user in an important position who should have known better and a set-uid shell script. I had to jump through hoops to convince him to get rid of the thing, and I was not amused at your suggestion. > I don't see the harm in >something so simple as: > # forcemsg "Message" logname [tty] > if [ "${3}" ] > then > tty=`echo ${3}` > else > tty=`who | grep ${2} | cut -c12-24` > fi > echo "Message from ${LOGNAME}: ${1}" > ${tty} > >$ chown root forcemsg >$ chmod 4511 forcemsg >$ ls -l forcemsg >-r-s--x--x 1 root other 171 Oct 26 14:12 forcemsg Well, for starters, only root could run this script because you must have read permission to run shell scripts. Suprisingly enough, you might still be able to use it to break root, however. Suppose it is world-readable. The user might be able to play with PATH so that his personal who is executed instead of /bin/who. Some systems may reset PATH; I suspect most don't. "No problem," you think, "you just need to use full pathnames." But there is a variable called IFS, that can turn "/bin/who" into " bin who", which will execute the user's personal program named bin with root euid. If the script starts with "#!/bin/sh" or something similar, you can play a clever little trick with a symbolic link named "-i" and fool the system into exec-ing "/bin/sh -i", i.e. an interactive shell, with root euid. On some versions of Unix, there is a race condition and with persistence you can get anything you want at all fed into the interpreter. So the question becomes "Are you willing to have an arbitrary command file read by an interpreter with root permissions?" In most cases the answer is no. Even on those OS's where set-uid shell scripts may be relatively safe you would need to take extreme measures to be completely safe. In the above script a mere "LOGNAME=anonymous; export LOGNAME" allows anonymous writing to terminals. You should at least have used whoami, but that is not the point. There is so much going on at the user interface level that it is much easier to know all the consequences of what you write if it is in C or Perl. There would be many other ways to exploit the above script. You caught a couple of them in your closing remarks, but it is just so hard ever to be sure you've caught the last one. Even a daemon like fingerd had bugs that were exploited by the Morris worm, and it was scrutinized by experts for years. (To be fair, the bug was well-known at the time, but no one had bothered to fix it. That, at least, is how I've heard the tale. I still wouldn't hear of Unix for a couple more years at the time all that went down.) -- Leif Jensen lhjensen@phoenix.princeton.edu