Holes in the Armor 247*
* ...
*/There was just one problem: the original author of movemail had never
suspected that the program would one day be running SUID root. And
when the program ran as root, it allowed the user whose mail was being
moved to read or modify any file on the entire system. Stoll’s West Ger-
man computer criminals used this bug to break into military computers all
over the United States and Europe at the behest of their KGB controllers.
Eventually the bug was fixed. Here is the three-line patch that would have
prevented this particular break-in:
/* Check access to output file. */
if (access(outname,F_OK)==0 &&
access(outname,W_OK)!=0)
pfatal_with_name (outname);It’s not a hard patch. The problem is that movemail itself is 838 lines
long—and movemail itself is a minuscule part of a program that is nearly
100,000 lines long. How could anyone have audited that code before they
installed it and detected this bug?
The Other Problem with SUID
SUID has another problem: it give users the power to make a mess, but not
to clean it up. This problem can be very annoying. SUID programs are
(usually) SUID to do something special that requires special privileges.
When they start acting up, or if you run the wrong one by accident, you
need a way of killing it. But if you don’t have superuser privileges your-
self, you are out of luck:
Date: Sun, 22 Oct 89 01:17:19 EDT
From: Robert E. Seastrom <[email protected]>
To: UNIX-HATERS
Subject: damn setuidTonight I was collecting some info on echo times to a host that’s on
the far side of a possibly flakey gateway. Since I have better things to
do than sit around for half an hour while it pings said host every 5
seconds, I say:% ping -t5000 -f 60 host.domain > logfile &