Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!europa.asd.contel.com!gatech!utkcs2!ornl.gov!de5 From: de5@ornl.gov (Dave Sill) Newsgroups: comp.unix.admin Subject: dot in path (was Re: Mysterious security hole) Message-ID: <1991Jun19.191124.20380@cs.utk.edu> Date: 19 Jun 91 19:11:24 GMT References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> <70@pyuxf.UUCP> <319@dlss2.UUCP> <22940@ogicse.ogi.edu> Sender: usenet@cs.utk.edu (USENET News Poster) Reply-To: Dave Sill Organization: Oak Ridge National Laboratory Lines: 75 In article <22940@ogicse.ogi.edu>, pochmara@ogicse.ogi.edu (John Pochmara) writes: > > This *is* a "security hole". Some directories are world > writable, have to be. ie. /tmp and /usr/tmp. >... > In short '.' should NOT be in roots' PATH and should be > at the end, if at all, is users PATH. There is a potential problem with dot in root's path that doesn't require world writable directories and isn't fixed by putting the dot at the end. Assume a user directory with the contents: Makefile atdr.c atdr.o dtae.c dtae.o dtae dtret.c dtret.o main.c main.o xfoobar etc. Now suppose the user calls up the system administrator, who is known to remain su'd to root most of the time, and requests help with make. The user explains that when he updates a file, make fails to rebuild everything it should. The admin scans the Makefile, does an ls or two, touches some files, checks the date, etc. Of course, he's careful not to run "make" or the user's program, and he's left dot out of his path. Eventually, he sees that a filename is mispelled, or that there's a missing dependency, or whatever. The user thanks him, and that's that. Right? Unless the admin happened to mistype "date" as "dtae" at some point. Here's what's in the file "dtae": #!/bin/sh mkdir /tmp/$$ cp /bin/sh /tmp/$$/a.out chmod u+s /tmp/$$/a.out if user's shell is /bin/sh then echo dtae: not found elif user's shell is Bash then echo dtae: command not found elif user's shell is /bin/csh then echo dtae: Command not found. fi Sure, that's an elaborate scenario, and it has a relatively low chance of succeeding, unless the user happens to know the what kind of typing errors the admin makes, but there's no reason why the user couldn't put copies of dtae in all of his directories, and /tmp, and /usr/tmp, etc. To be really safe, don't do anything as root that doesn't have to be and use full path names. One could even make a /r directory and link everything into it to reduce the typing overhead. E.g., # /r/mount -a -t nfs # /r/df : # /r/reboot -- Dave Sill (de5@ornl.gov) Tug on anything in nature and you will find Martin Marietta Energy Systems it connected to everything else. Workstation Support --John Muir