Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!hao!oddjob!gargoyle!ihnp4!alberta!ers!teletron!andrew From: andrew@teletron.UUCP (Andrew Scott) Newsgroups: comp.sys.att Subject: Re: a few questions on the 3B1 Message-ID: <121@teletron.UUCP> Date: Thu, 22-Oct-87 19:32:36 EST Article-I.D.: teletron.121 Posted: Thu Oct 22 19:32:36 1987 Date-Received: Sun, 25-Oct-87 15:18:13 EST References: <1913@gryphon.CTS.COM> <144800006@tiger.UUCP> Organization: TeleTronic Communications Ltd., Edmonton, Alta. Lines: 59 In a discussion about how to get uucico to recognize the TZ environment variable, the following shell script was suggested as a login script: >>> if [ \( -f /etc/TZ \) -a \( -r /etc/TZ \) ] >>> then >>> TZ=`cat /etc/TZ` >>> export TZ >>> fi >>> exec /usr/lib/uucp/uucico $* and then I wrote: >> Using a shell script for a login is a *bad thing*. I was shown how this is >> a security hole by lyndon@ncc. Quite graphically, I might add. I was warned about login scripts by Lyndon when I told him that I had "fixed" the TZ problem I previously had. Shortly after e-mailing him "why?", I got something like: Message from uucp (ph1) ... are you there? on my screen. He had logged in and obtained a shell before uucico was exec'ed. One reply was: > I have heard this blanket statement about shell scripts being a security > hole before, possibly from you, and fail to see how this one (above) can (no, not me) > be such. I fancy myself very literate in Unix security and agree that, > in general, shell scripts from inittab or suid-root scripts *might* have > a hole (usually in the form of a command that has a shell escape) but I > do not see the problem with the "if" statement, "cat" command, variable > assignment, export statement, or exec function. As long as the shell script ^^^^^^ this is the problem > is only readable and writeable for the person to whom it was intended to > serve and located in a "safe" directory, I see no problem. > I do agree that the C-code is more elegant, but I would greatly appreciate > a posting or e-mail showing the holes as you see them. > > Thanks, > > Randy Davis > (ihnp4!)3b2fst!randy Well, there is a shell parameter called IFS (internal field separator) which delimits tokens to sh. If you change IFS to also include 'p' (as well as space, tab and newline), the 'export' line becomes 'ex ort'. Presto, you are in the editor, from which you can do a shell escape. Now, this would only be a problem if a) you have anonymous uucp logins (no password protection), or b) someone who knew the password (by reading L.sys on the remote system) wanted to snoop around. As for being "very literate in Unix security", Lyndon mentioned that this was actually quite a common and old trick. I guess you're not literate enough... (Sorry if that sounds rude, but I don't profess to be any sort of Unix wizard, and very few people (Lyndon excepted :-) impress me that they should.) Andrew