Re: su - user question
On Sun, 2002-01-20 at 15:16, Kevin Littlejohn wrote:
> On Sun, Jan 20, 2002 at 02:45:53PM +1300, Adam Warner wrote:
> > Can anyone provide a plausible scenario for how someone might be able to
> > gain root level access because su - has been used to switch to a user
> > account. Martin has already answered that your tty session would have to
> > be stolen. How can you steal a tty session using only remote means?
>
> The only thing I can think of off-hand is the old "tty bomb" approach -
> because you're running as the user at that point, your /dev/tty will likely
> have appropriate perms for the user to write to it, and they could
> conceivably send you escape sequences that may trigger strange behaviour
> at your client end. There used to be a sequence that'd trigger the
> execution of arbitrary commands in ansi terminals - that's been closed,
> but it flags one possible spot, I guess.
>
> Alternately, the user may be able to write spurious info to your terminal.
> That in itself could cause you to behave differently, although whether it
> could be leveraged to root-level access or not is something else altogether.
>
> Finally, "su -" will execute the user's own profile - which means you're
> executing user-controlled scripts, which may do interesting things like
> setup something to intercept and log keypresses etc. At the very least,
> su without the - is probably called for if you mistrust the user.
Thanks for those possibilities Kevin. Perhaps you or someone else could
expand on the first 2 as to how the switch user part could assist in
gaining root access. In your last paragraph I don't see how using su -
would make any difference in regard to the execution of user-controlled
scripts compared to just logging in as the user.
Here's a scenario where using su - could be less risky than always
logging in as a user:
First assume there is a local root vulnerability in the operating
systems of two computers that can be accessed once a user level account
has been obtained.
Second, assume that the root passwords of both systems are very strong.
Third, assume that the systems are logged into locally by a
user/administrator. However they are connected to the Internet and are
providing Internet services (it's not the best security practice to
allow remote logins when they are not necessary but it's still a
plausible scenario).
In the first system the administrator sets up a user account with an
easy to remember password. Over time a cracker is able to guess this
password and obtain local user and then root access to the computer.
In the second system the administrator sets up a user account with a
randomly generated dual case alphanumeric password. The administrator
has to write this password down to remember it. Consulting the document
is a hassle so he/she decides to use su - to log in as the user instead.
The remote cracker is never able to guess the user password and obtain
user (then root) access to the system.
This indicates to me that the increased risks of using su - to log in as
a user may be offset by the decreased risks of a superior user password
that you actually have to write down and consult to remember.
Or to put it another way in some circumstances it may be superior for an
administrator/user to only have to remember one long password than
trying to remember two potentially less effective passwords. The user
password can be even _unknown_ to the user.
Yes this sounds heretical.
Regards,
Adam
Reply to: