Re: Linux Virus

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: Linux Virus
From: Ethan Benson <erbenson@alaska.net>
Date: Sun, 1 Apr 2001 00:33:37 -0900
Message-id: <[🔎] 20010401003337.R909@plato.local.lan>
Mail-followup-to: Debian-user <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20010331230631.G15748@ix.netcom.com>; from kmself@ix.netcom.com on Sat, Mar 31, 2001 at 11:06:31PM -0800
References: <3AC2A414.2315FC29@ozemail.com.au> <Pine.LNX.4.21.0103282246530.22425-100000@benatar.snurgle.org> <20010330175425.B5792@ix.netcom.com> <20010331033949.D909@plato.local.lan> <87pueyhu9m.fsf@toncho.dhh.gt.org> <[🔎] 20010331230631.G15748@ix.netcom.com>

On Sat, Mar 31, 2001 at 11:06:31PM -0800, Karsten M. Self wrote:
> on Sat, Mar 31, 2001 at 08:45:25AM -0600, John Hasler (john@dhh.gt.org) wrote:
> > Ethan Benson writes:
> > > cat <<EOF >> ~/.bashrc
> > > alias su='su -c ~/.virus'
> > > EOF
> > 
> > su might benefit from a configuration file that sets the permissable path
> > for -c.
> > 
> > Another possible fix might be for bash to somehow detect "gain-root"
> > commands and refuse to alias them.
> 
> Nope.
> 
> sudo provides this functionality.  'su' allows you to become an
> effective user.  To use 'su' to execute root commands, you require the
> root password.  What, exactly, are you protecting against.

my trick would work on sudo as well, at least the way most people
configure it -- by adding a line like this:

thierusername	ALL=(ALL) ALL

in which case they can use sudo to execute ANYTHING as root. so...

cat <<EOF >> ~/.bashrc
alias sudo='sudo ~/.virus'
EOF

same thing as su, if the account we added this to is the admin of the
machine and they use su to gain root and perform the adminsitrative
task they needed to perform, and they just type `su' at thier command
prompt they will get a password: prompt as usual and will enter the
root password, but in reality they just executed:

su -c ~/.virus  see the su man page to see what this does.  

now if the admin does everything via sudo instead of using short su
sessions they will need a ALL=ALL line like above.  so next time they
sudo something, say:

sudo apt-get update

the shell will instead run

sudo ~/.virus

and sudo will ask the password and happily run ~/.virus as root.  

> Better, IMO, to use sudo to invoke su, and restrict rights to do so to
> specified users.

what does this buy you?  see above.  this is in fact less secure IMO,
since it turns ordinary user passwords into the root password.  if you
want to restrict who is allowed to go to root invoke the `wheel' group
policy. 

> For restricted commands access, use the tool designed for this task,
> sudo.

my point is that if the admin's account is the one getting the nice
shell alias dropped into the next time they perform an administrative
command -- however they accomplish it, either sudo or su -- they will
potentially run the virus/trojan as root.  

in the case of a ordinary user who is allowed to run ONLY a very small
handful of very safe unrootable programs via sudo this alias trick
will fail.  at least assuming you specify the absolute pathname to the
command in /etc/sudoers.  

sudo with an ALL=ALL entry is just as dangerous (more so IMO, because
it turns user passwords into multiple root passwords) then su.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp2AFpl0DQ94.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Linux Virus
  - From: Brian May <bam@debian.org>

References:
- Re: Linux Virus
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: apt-get remove -- ODD dependencies
Next by Date: Re: I *HATE* modversions.h
Previous by thread: Re: Linux Virus
Next by thread: Re: Linux Virus
Index(es):
- Date
- Thread