Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!mit-eddie!uw-beaver!tektronix!tekcrl!terryl From: terryl@tekcrl.UUCP Newsgroups: comp.unix.wizards,comp.unix.questions Subject: Re: UNIX file setuid sucurity hole? Message-ID: <1480@tekcrl.TEK.COM> Date: Fri, 13-Mar-87 13:44:26 EST Article-I.D.: tekcrl.1480 Posted: Fri Mar 13 13:44:26 1987 Date-Received: Sat, 14-Mar-87 15:25:14 EST References: <2168@ncoast.UUCP> Reply-To: terryl@tekcrl.tek.com Distribution: world Organization: Tektronix, Inc., Beaverton, OR. Lines: 58 Xref: utgpu comp.unix.wizards:1381 comp.unix.questions:1366 In article <2168@ncoast.UUCP> robertd@ncoast.UUCP (Robert DeMarco) writes: + + + It just accured to me that, +thanks to the chown command and "setuid +to owner when executing this C program" +that no ones file is realy safe. + + I mean, couldn't someone who +knows C alot write a program that is +equivlent to "cat" that would display +another users secret file. Then simply +chmod the file to set to the owners ID +apon execution? Then chown it to the +owner. Then execute the command. Your +uid will be set to the owner , who owns +the file you wish to see. + + + For instance, lets say there +is a file called "foo", and John Smith +owns the file. Now lets say that Peter +Jones wants to see the file but can't, +because he's not allowed. + + Now Peter can write a program +called "xyz" that displays John's file. +How ever, Peter still can't access it. +Now, lets say,that Peter sets the +permision on his program so that any +one can access it, and the uid will be +set to owner(Peter). Now Peter then can +"chown" the command to John. The file +now belongs to John. Then Peter +executes the file. Since the file +permisions says to change id to owner, +Peters Id will be changed to John's id +for the duration of the program. Now +Peter will BE ALLOWED to read Johns +file. + + How can you protect against +this? Well, for one thing, some flavors of UNIX do NOT allow normal mortal users (i.e. people who are not root) to do a chown of a file. That's why chown is set- user-id to root on these systems. But, there are some flavors that DO allow nor- mal mortal users to do a chown of a file. Of all of the systems I've seen that allow this, when the user does a chown of a file, the set-user-id bit is RESET, i.e. it is no longer a set-user-id file. I've even seen some systems that always reset the set-user-id bit, even if it is root that did the chown. Thus your security hole is non-existant. Terry Laskodi of Tektronix