security hole in man
Any comment from this list?
Can this approch be a solution to the attack scenario?
----- Forwarded message from Fabrizio Polacco <fab@prosa.it> -----
Date: Wed, 26 Jan 2000 11:38:35 +0200
From: Fabrizio Polacco <fab@prosa.it>
To: Greg Stark <gsstark@mit.edu>
Subject: Re: security hole in man
On Mon, Jan 24, 2000 at 04:36:14AM -0500, Greg Stark wrote:
>
> > Debian's /usr/bin/man is setuid "man", not setuid "root".
>
> This should not be viewed as a cure-all.
> In fact it doesn't really offer much added security over being setuid root.
Well, it surely offers _more_ security.
> An attacker that gained access as user
> "man" could then modify the man binary itself and wait until root runs it.
Good point.
Maybe not for the "man" program itself, but for the companion mandb,
which is run also by cron.
> setgid is generally safer since a file can be unwritable by its group.
> Whereas the owner of a file can always chmod it writable.
> I'm not sure what the details are of why our man is setuid.
It has to deal with removing and adding dirs and files in the cache,
running as different users.
It has been created setuid and not setgid by its author, and I see a
_lot_ of changes to be made in the sources to make it setgid instead.
A different approach would be to wrap ths calls to man and mandb around
a script like this:
--------------------cut---
#!/bin/sh -e
pgm=`basename $0`
edir=/usr/lib/man-db
cmd=exec ${edir}/${pgm} ${1+"$@"}
test -w /root && su man -c "${cmd}"
${cmd}
--------------------end---
man-db could install this script as /usr/bin/man and /usr/bin/mandb
(as hard links)
-rwxr-xr-x 2 root root 144 Jan 26 11:28 man*
-rwxr-xr-x 2 root root 144 Jan 26 11:28 mandb*
and put the real binaries in /usr/lib/man-db setuid, but never executed
by root (untill someone does it on purpose :-)
-rwsr-xr-x 1 man root 82780 Oct 28 19:21 /usr/lib/man-db/man*
-rwsr-xr-x 1 man root 65760 Oct 28 19:21 /usr/lib/man-db/mandb*
man-db already ships private executables in /usr/lib/man-db.
What do you think?
Could this be an inprovement on security?
As I see, root will never execute the setuid binaries.
This approach has the advantage that I can easily set it up and let it
go into frozen.
cheers,
fab
--
| fab@pukki.ntc.nokia.com fpolacco@prosa.it fpolacco@debian.org
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
| fabrizio.polacco@nokia.com gsm: +358 (0)40 707 2468
----- End forwarded message -----
Reply to: