Bugtraq mailing list archives
Re: Why you should avoid world-writable directories
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Tue, 22 Dec 1998 22:19:27 +1100
In some mail from D. J. Bernstein, sie said:
1. Anonymous snooping SECURITY HOLE: Any local user can stat() files in the IBM Secure Mailer drop directory. IMPACT: Any local user can anonymously inspect the uids and sizes of new messages. It doesn't matter how well the system administrator has protected his process list, mail logs, and message transport mechanisms; private information is freely available in the IBM Secure Mailer queue.
Don't know about you, but when I'm not root on a machine which I use for mail, being able to view the queue in its entirity is akin to being able to use something like "ps" and see all processes, including ones which don't belong to you. Basically, "who cares" about anonymous snooping. Unless you're in a highly secure and compartmentalized environment where you need to worry about cover channels, I can't see whether it matters that queue files are inspected directly or indirectly. Then again, I don't want to be so paranoid that I actually care. If "they" want to know then the chances are "they" will find out regardless of what I do. [...]
5. Technical notes
[...]
Certainly setuid programs require a great deal of care. They've been involved in many security disasters, though far fewer than (for example) world-writable directories. The security community would love to see another portable IPC mechanism offering guaranteed user identification. (I suggest that kernels add a getpeeruid() system call, showing the real uid that called connect(), for UNIX-domain sockets and for loopback TCP sockets.) However, while we're waiting, we need a few setuid programs.
One is given to wonder why they're required at all, save for the obvious performance benefit. Why not even have the local queuing performed over smtp ? (btw, some systems already have a more enhanced getpeeruid() available for Unix-domain sockets - doesn't readily extend itself to being applied to TCP/UDP though). I'm surprised that you didn't mention the possibilities of file descriptor passing here. Surely fstat() on an open file passed from the program with the file to queue to the queue daemon would achieve the same result. If the process passing the fd (as the user) has been able to open the file, then surely that implies they have authority to send it via mail. Of course that opens avenues of exploit up for programs which spawn subshells without revoking all privs/closing all files opened with privs :) Darren
Current thread:
- Verifying file data integrity using L6 gilbert () PGCI CA (Dec 17)
- Re: Verifying file data integrity using L6 Ng Pheng Siong (Dec 18)
- <Possible follow-ups>
- Re: Verifying file data integrity using L6 James R Grinter (Dec 20)
- Re: Verifying file data integrity using L6 Marc SCHAEFER (Dec 20)
- Re: Verifying file data integrity using L6 Curt Sampson (Dec 21)
- Why you should avoid world-writable directories D. J. Bernstein (Dec 21)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 22)
- Re: Why you should avoid world-writable directories Casper Dik (Dec 23)
- Re: Why you should avoid world-writable directories Martin Forssen (Dec 23)
- Linux PAM (up to 0.64-2) local root compromise Michal Zalewski (Dec 23)
- Re: Linux PAM (up to 0.64-2) local root compromise Savochkin Andrey Vladimirovich (Dec 24)
- 3COM Documentation backdoors in CB3500 Pedro Ribeiro (Dec 23)
- New perl module Net::RawIP Sergey V. Kolychev (Dec 22)
- Update on Cisco IOS 12.0 security bug John Bashinski (Dec 22)
- Re: New perl module Net::RawIP route () RESENTMENT INFONEXUS COM (Dec 22)
- [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS Richard Reiner (Dec 23)