Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!lll-crg!mordor!sri-spam!sri-unix!hplabs!tektronix!teklds!zeus!bobr
From: bobr@zeus.UUCP (Robert Reed)
Newsgroups: comp.unix.questions,comp.unix.wizards
Subject: Re: slaying Gould dragon with a wooden horse
Message-ID: <836@zeus.UUCP>
Date: Fri, 7-Nov-86 15:24:48 EST
Article-I.D.: zeus.836
Posted: Fri Nov  7 15:24:48 1986
Date-Received: Sun, 9-Nov-86 04:44:52 EST
References: <157@houligan.UUCP>
Reply-To: bobr@zeus.UUCP (Robert Reed)
Followup-To: comp.unix.wizards
Organization: CAE Systems Division, Tektronix Inc., Beaverton OR
Lines: 30
Xref: watmath comp.unix.questions:6 comp.unix.wizards:3

In <157@houligan.UUCP> Dave Cornutt writes:
    Any system, no matter how secure it is designed to be, is only as secure
    as the people who run it make it.  If the searchpath problem was fixed,
    Darryl still have gotten in by creating a Trojan-horse program in his
    directory and convincing the superuser to run it.  (An old student
    approach: "I'm getting a wierd error out of this homework program; could
    you please run it and tell me what you think is wrong?").  This would
    have worked just as well, and there is *no system on the market* that
    can stop this type of attack...because the thing being taken advantage
    of isn't the system, it's the system administrator.

Maybe yes, maybe no.  It is certainly true in either case that the sys-admin
was duped, but in Darryl's trojan horse scheme, he was relying on the
coincidence of two conditions:

  1. That the search path tried the current working directory first.

  2. That the system administrator would think nothing of using standard
     utilities while running as root in that directory.

It is one thing to build a trojan horse behind, say, ls; one that does its
dirty deed and then execs the real ls.  It's quite another to convince an
administrator to run a user program WHILE IN A PRIVILEDGED ACCOUNT.  It's
certainly possible to do it, especially with a novice admin, just as it is
possible to take advantage of one who leaves terminals logged into root.  I
know I would have real qualms about executing someone's xyz program while
running as root.  But I might not even think about running ls, cat, more, or
emacs.
-- 
Robert Reed, Tektronix CAE Systems Division, bobr@zeus.TEK