Xref: utzoo alt.security:1530 alt.bbs:2920 comp.unix.sysv386:335
Path: utzoo!utgpu!cs.utexas.edu!yale!umich!ox.com!mudos!mju
From: mju@mudos.ann-arbor.mi.us (Marc Unangst)
Newsgroups: alt.security,alt.bbs,comp.unix.sysv386
Subject: Re: Protecting against downloads
Message-ID: <8RFgP2w163w@mudos.ann-arbor.mi.us>
Date: 13 Sep 90 21:51:18 GMT
References: <epeterso.653228040@houligan>
Organization: The Programmers' Pit Stop, Ann Arbor MI
Lines: 53

epeterso@encore.com (Eric Peterson) writes:
> ** BZZZT! **  Wrong.  People need to be able to read the kernel and
> other binaries.  Changing the permission bits on the standard files is
> not necessarily a healthy idea.

No, you're wrong.  People don't need to be able to read the kernel; in
fact, on every modern Unix system I've seen, the ordinary user CAN'T
read the kernel.  It's usually owned by "root", group "sysinfo" (or
something similar), and permitted 640 or 040.  Programs like ps(1)
that need to read the kernel are SGID sysinfo.  /dev/kmem, /dev/mem,
and /dev/swap are similarly owned by group sysinfo and permitted 640
or 040.  Any programs that have to access these protected files are
SGID sysinfo.

The only executable files that need to be readable by the user are
shell scripts.

(However, note that something like "chmod 711 /usr/bin/*" is a Bad
Idea, since it strips things like SUID and SGID bits.  Try "chmod
go-rw /usr/bin/*" instead.)

> instance, if you gave the command "chroot /usr/$HOME /bin/csh" instead
> of just "/bin/csh" as your shell command, the user would see
> "/usr/$HOME" as "/" and would not have access to /bin or /lib.

Well, ignoring for the moment that "/usr/$HOME" will probably expand
to "/usr/u/loginid" or something similar, this opens up a security
hole big enough to drive a medium-sized planet through.  Consider this:

% cd
% mkdir etc
% cd etc
% cat >passwd
root::0:0::/:/bin/sh
^D
% su root
Password: <return>
# 

The user now has root.  Kids, don't try this at home.  THIS IS WHY
ROOT IS THE ONLY ONE ALLOWED TO EXECUTE chroot(1).

The solution, as I mentioned before, is to remove read permission from
any and all binaries, INCLUDING the kernel.  Make sure the hard drive
and raw hard drive devices are permitted 600.  Make sure /dev/mem,
/dev/kmem, and /dev/swap can't be read by an ordinary user.  Forget
about hacking sz(1) or rz(1), because the user can just upload their
own version, compile it, and use it.

--
Marc Unangst               | "da-DE-DA: I am sorry, the country you have
mju@mudos.ann-arbor.mi.us  | dialed is not in service.  Please check the
...!umich!leebai!mudos!mju | number and try again."  -- Telecom Kuwait