Great Circle Associates Majordomo-Workers
(August 2000) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: Jason L Tibbitts III <tibbs @ math . uh . edu>
Date: 29 Aug 2000 09:40:36 -0500
To: majordomo-workers @ GreatCircle . COM, mj2-dev @ csf . colorado . edu
In-reply-to: SRE's message of "Tue, 29 Aug 2000 06:36:16 -0700"
References: <SRE's message of "Mon, 28 Aug 2000 17:04:38 -0700"> <Dave Hayes's message of "Mon, 28 Aug 2000 01:30:39 -0700"> <200008280830.BAA26974@hokkshideh.jetcafe.org> <4.3.1.0.20000828164001.00ce7c90@pop.climber.org> <4.3.1.0.20000829062536.00bd09f0@pop.climber.org>
User-agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 
>>>>> "S" == SRE  <eckert@climber.org> writes:

S> Hmmm. I thought this was a setuid script.

It is, but it is careful to drop privileges before calling the editor.

S> If it sometimes runs as the server id and sometimes runs as the user id,
S> I'm surprised and confused.

It does.  This is part of the basic UNIX security model.

S> It's never possible to prove something doesn't exist, so no one can ever
S> say any program is totally safe.

There is a whole branch of computer science related to proving the
correctness of programs, but that doesn't scale to any system this big
(i.e. the OS, Perl, Majordomo, and the Internet all together).

S> What I'm not clear on is why it's desirable to let arbitrary environment
S> variables exist when there is so much code thaat no one has ever scanned
S> for defects.

I don't believe I've said that it's desirable.  Up until yesterday I had
maintained that someone needed to come up with a good reason for doing it
besides nebulous statements that there might be problems, maybe, but we
can't find one.  (After all, Perl has extensive mechanisms in place to make
sure that problems don't exist, and if we can't trust Perl then we have a
basic underlying flaw that essentially invalidates our entire suite of
software.)  But Dave explained his position yesterday well enough that I
understood it and agreed with it.

S> Is there a list of environment variables that are INTENTIONALLY used by
S> Mj2 ?

No.  I started a list in my reply to Dave, but I don't know enough about
the web stuff to know what use it makes of the environment.  (I suspect
quite a bit.)  Everyone here should feel free to add to that list.

S> What would happen if an anxious system administrator re-wrote the
S> wrappers to delete all environmment variables and change BOTH the
S> effective and real uid/gid ?

Then the editing portion of mj_shell would fail (because of the wrapper
screwing with the UID when it's not supposed to) and the CGI scripts would
stop working completely because they rely heavily on fetching stuff from
the environment.  I think the email stuff would keep working, assuming that
your MTA requires the wrapper in the first place.  Neither the CGI or shell
interfaces could save much useful information in the session log.

So basically you remove a lot of the features that actually make the
software useful.

 - J<
References:
Indexed By Date Previous: Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: SRE <eckert@climber.org>
Next:
From: (nil)
Indexed By Thread Previous: Re: Mj2: Re: demonstration: setuid wrappers are insecure?
From: SRE <eckert@climber.org>
Next:
From: (nil)
Google
 
Search Internet Search www.greatcircle.com