Bugtraq mailing list archives

Re: bin owned system files

From: jenkins () DPW COM (Colin Jenkins)
Date: Fri, 26 Jul 1996 09:35:12 EDT


Bob Adams wrote:

Are there any known problems/bugs/etc.
with "root" executing system binaries
owned by "bin" as long as the "bin"
account is disabled in /etc/passwd.
(i.e. * for password and /bin/false
for the shell).
Bob Adams                               Eastman Kodak Company


A couple of problems come to mind.  First, I firmly believe that /bin/false
and /bin/true are huge security holes.  On most systems these are shell
scripts that call /bin/sh and exit() with a value.  This means that your
"disabled" "bin" account actually does get a shell.  On my Solaris 2.5
system, I can do something like this:

    $ /bin/sh
    $ mkdir -p /tmp/test; cd /tmp/test
    $ cat > xit
    #!/bin/sh
    \echo work\ed!!!!!!!
    ^D
    $ chmod 755 xit
    $ IFS=e; \export IFS
    $ PATH=.; \export PATH
    $ /bin/fals\e
    worked!!!!!!!

By itself, this is not an exploit, but it illustrates some intermediate steps
that an intruder might take to crack your system.  I am surprised that these
two programs never seem to be pointed out as security holes.  I suppose that
by themselves they are not, but since they are frequently linked to programs
that people want to "disable" (like login shells) I suspect there are
plenty of hacking opportunities for people looking for intermediate doors
into systems.

Does anyone know why these programs are not one line C programs:

        main() {exit (0);}
        main() {exit (255);}

Finally, if your system exports any of its file systems via NFS and allows
write access to remote clients you are vulnerable.  Remote users with access
to their local bin accounts can change your system files.  If your files are
owned by root, then remote systems will not have write access to them unless
you explicitly grant it.

I don't think "bin" ownership is necessarily a bad idea- I find it convenient
for pinpointing setuid programs in long file listings and so on, but if tight
security is your goal, root ownership might be a better choice.


                                                Colin
                                                jenkins () dpw com

Current thread:

bin owned system files Robert E. Adams (Jul 25)
- ? Trojan /usr/bin/false ? Jeremy Brinkley (Jul 25)
  - Re: ? Trojan /usr/bin/false ? Elliot Lee (Jul 25)
- Re: bin owned system files Gene Spafford (Jul 25)
- Re: bin owned system files Colin Jenkins (Jul 26)
- Re: bin owned system files Gene Spafford (Jul 26)
- Re: bin owned system files Jungseok Roh (Jul 26)
- <Possible follow-ups>
- Re: bin owned system files William McVey (Jul 26)
- Re: bin owned system files dsiebert () icaen uiowa edu (Jul 26)
- Re: bin owned system files Bruce Barnett (Jul 26)