Great Circle Associates Majordomo-Workers
(August 2000) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: SRE <eckert @ climber . org>
Date: Tue, 29 Aug 2000 06:36:16 -0700
To: Jason L Tibbitts III <tibbs @ math . uh . edu>
Cc: majordomo-workers @ GreatCircle . COM, mj2-dev @ csf . colorado . edu
In-reply-to: <ufahf84lpwq.fsf@epithumia.math.uh.edu>
References: <SRE's message of "Mon, 28 Aug 2000 17:04:38 -0700"><Dave Hayes's message of "Mon, 28 Aug 2000 01:30:39 -0700"><200008280830.BAA26974@hokkshideh.jetcafe.org><4.3.1.0.20000828164001.00ce7c90@pop.climber.org> 
At 08:14 PM 8/28/00, Jason L Tibbitts III wrote:
>It runs this script as you.  So you don't get to do anything that you
>couldn't do in the first place.

Hmmm. I thought this was a setuid script. If it sometimes runs as the
server id and sometimes runs as the user id, I'm surprised and confused.
Hopefully it will always run as the user id when it's doing anything
that might be unsafe. I dunno how to verify one way or the other.

>That's the whole point of paying attention to EDITOR.  You're making it do
>what it is supposed to be doing.
[snip]
>Anything is possible, but your example isn't useful in showing this one way
>or the other.

It's never possible to prove something doesn't exist, so no one can ever
say any program is totally safe. I understand that. What I'm not clear on
is why it's desirable to let arbitrary environment variables exist when
there is so much code thaat no one has ever scanned for defects. All the
CPAN modules required by Mj2 get updated regularly, and I don't know what
back doors have been left in them by the various authors. I do know that
I was unaware of the EDITOR variable's use in Mj2 until I scanned the code
for %ENV, so I presume there are similar environment variables I still
don't know about in Mj2 and in the modules it uses.

My only concern was that the issue receive a full hearing. I'm not the
one who should say what the final decision is. I'm sort of between you
and my sysadmin, trying to make everyone happy.

Is there a list of environment variables that are INTENTIONALLY used
by Mj2 ? What would happen if an anxious system administrator re-wrote
the wrappers to delete all environmment variables and change BOTH the
effective and real uid/gid ? If no damage is done by being more
conservative, how about a "paranoid" option during install that sets
the wrappers up more conservatively?

SRE

mailto:eckert@climber.org | http://www.climber.org/eckert/
Info on peak climbing email lists mailto:info@climber.org

       It may be that your whole purpose in life
       is simply to serve as a warning to others.
Follow-Ups:
References:
Indexed By Date Previous: Re: demonstration: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs@math.uh.edu>
Next: Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs@math.uh.edu>
Indexed By Thread Previous: Re: demonstration: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs@math.uh.edu>
Next: Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs@math.uh.edu>
Google
 
Search Internet Search www.greatcircle.com