ugh.book

(singke) #1

246 Security


AT&T was so pleased with the SUID concept that it patented it. The intent
was that SUID would simplify operating system design by obviating the
need for a monolithic subsystem responsible for all aspects of system secu-
rity. Experience has shown that most of Unix's security flaws come from
SUID programs.
When combined with removable media (such as floppy disks or SyQuest
drives), SUID gives the attacker a powerful way to break into otherwise
“secure” systems: simply put a SUID root file on a floppy disk and mount
it, then run the SUID root program to become root. (The Unix-savvy reader
might object to this attack, saying that mount is a privileged command that
requires superuser privileges to run. Unfortunately, many manufacturers
now provide SUID programs for mounting removable media specifically to
ameliorate this “inconvenience.”)
SUID isn’t limited to the superuser—any program can be made SUID, and
any user can create an SUID program to assume that user’s privileges when
it is run (without having to force anybody to type that user’s password). In
practice, SUID is a powerful tool for building traps that steal other users’
privileges, as we’ll see later on.

The Cuckoo’s Egg

As an example of what can go wrong, consider an example from Cliff
Stoll’s excellent book The Cuckoo’s Egg. Stoll tells how a group of com-
puter crackers in West Germany broke into numerous computers across the
United States and Europe by exploiting a “bug” in an innocuous utility,
called movemail, for a popular Unix editor, Emacs.

When it was originally written, movemail simply moved incoming pieces
of electronic mail from the user’s mailbox in /usr/spool/mail to the user’s
home directory. So far, so good: no problems here. But then the program
was modified in 1986 by Michael R. Gretzinger at MIT’s Project Athena.
Gretzinger wanted to use movemail to get his electronic mail from
Athena’s electronic post office running POP (the Internet Post Office
Protocol). In order to make movemail work properly with POP, Gretzinger
found it necessary to install the program SUID root. You can even find
Gretzinger’s note in the movemail source code:
/*
* Modified January, 1986 by Michael R. Gretzinger (Project Athena)
*
* Added POP (Post Office Protocol) service. When compiled -DPOP
* movemail will accept input filename arguments of the form
* "po:username". This will cause movemail to open a connection to
* a pop server running on $MAILHOST (environment variable).
* Movemail must be setuid to root in order to work with POP.
Free download pdf