issuhub.com

ugh.book

(singke) #1

246 Security


AT&T was so pleased with the SUID concept that it patented it. The intent

was that SUID would simplify operating system design by obviating the

need for a monolithic subsystem responsible for all aspects of system secu-

rity. Experience has shown that most of Unix's security flaws come from

SUID programs.

When combined with removable media (such as floppy disks or SyQuest

drives), SUID gives the attacker a powerful way to break into otherwise

“secure” systems: simply put a SUID root file on a floppy disk and mount

it, then run the SUID root program to become root. (The Unix-savvy reader

might object to this attack, saying that mount is a privileged command that

requires superuser privileges to run. Unfortunately, many manufacturers

now provide SUID programs for mounting removable media specifically to

ameliorate this “inconvenience.”)

SUID isn’t limited to the superuser—any program can be made SUID, and

any user can create an SUID program to assume that user’s privileges when

it is run (without having to force anybody to type that user’s password). In

practice, SUID is a powerful tool for building traps that steal other users’

privileges, as we’ll see later on.

The Cuckoo’s Egg

As an example of what can go wrong, consider an example from Cliff

Stoll’s excellent book The Cuckoo’s Egg. Stoll tells how a group of com-

puter crackers in West Germany broke into numerous computers across the

United States and Europe by exploiting a “bug” in an innocuous utility,

called movemail, for a popular Unix editor, Emacs.

When it was originally written, movemail simply moved incoming pieces

of electronic mail from the user’s mailbox in /usr/spool/mail to the user’s

home directory. So far, so good: no problems here. But then the program

was modified in 1986 by Michael R. Gretzinger at MIT’s Project Athena.

Gretzinger wanted to use movemail to get his electronic mail from

Athena’s electronic post office running POP (the Internet Post Office

Protocol). In order to make movemail work properly with POP, Gretzinger

found it necessary to install the program SUID root. You can even find

Gretzinger’s note in the movemail source code:

/*

* Modified January, 1986 by Michael R. Gretzinger (Project Athena)

*

* Added POP (Post Office Protocol) service. When compiled -DPOP

* movemail will accept input filename arguments of the form

* "po:username". This will cause movemail to open a connection to

* a pop server running on $MAILHOST (environment variable).

* Movemail must be setuid to root in order to work with POP.
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.