Xref: utzoo unix-pc.general:271 comp.sys.att:2349 Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!mordor!sri-spam!rutgers!mtune!codas!killer!woton!riddle From: riddle@woton.UUCP (Prentiss Riddle ) Newsgroups: unix-pc.general,comp.sys.att Subject: Major security problem in the UA: looking for a real fix Message-ID: <1023@woton.UUCP> Date: 1 Feb 88 23:43:37 GMT Organization: Shriners Burns Institute, Galveston Lines: 81 Keywords: UNIX PC, UA, security hole Insecurity-Hole: "Bob" This has been discussed on the net before, but I want to raise it again: There is a security hole in the UA which you could throw a Cray through. If an Office menu has an entry "Run=EXEC -p $SHELL", the shell is invoked with superuser privileges. Anyone can create an Office file in her home directory and become root at will. This "-p" option (documented in section ua(4) in the manual) is used extensively in the UA menus. It is what allows the user "install" to do many administrative tasks ordinarily reserved for root. It also is used for many more mundane things, such as floppy operations, which ordinary users need to be able to do. Darryl Wagoner (unisec!dpw) some time back proposed the following solution to the problem: the UA grants superuser privileges via the setuid programs /usr/lib/ua/uasetx and /usr/lib/ua/uasig. If these programs are chmod'ed to 4710 and put in a group "super" and only trusted users (ideally just "install") are put in the "super" group, then the -p option won't be available to non-trusted users. I tried this, with mixed results. Users in the "super" group were able to get superuser status as before, but other users lost the ability to invoke the following items in the UA menus: Administration: Change Password Administration: Disk Backup Administration: Disk Restore Administration: Mail Setup: Electronic Mail Name of Other Systems Administration: Mail Setup: Electronic Mail Name of This System Administration: Software Setup Administration: System Information Floppy Disk Copy Floppy Disk Format Floppy Disk Repair MSDOS Disk Format MSDOS Disk Read MSDOS Disk Write Printer Queue Printer Restart Printer Setup In addition, the ordinary small Unix window invoked by "Run=EXEC -w $SHELL" would no longer work, although a large borderless "Run=EXEC -wd $SHELL" would work correctly. Some of the affected menu items are security risks in themselves and probably should not be available to unprivileged users (mail and printer setup, for instance). Others are not so expendable: all of our users need to be able to format floppy disks and do backups and restores, at least of their own files. I also tried simply turning off the setuid bit on "uasetx" and "uasig", but leaving them executable by everyone. This was even worse: the programs would run, but they would run incorrectly -- in particular, floppy backup operations would fail with a message about the disk being full when it really was at 70% capacity. So we're back at the drawing board. I don't see any reason why it should not be theoretically possible to fix these problems. Most of the floppy-oriented functions should not need special privileges to work. Most if not all of the programs which really require superuser privileges should not be available to non-superusers anyway. I've never seen the rationale behind the "install" user -- why wasn't install's "Administration" menu simply given to root? Root is capable of running the UA too. So, are any of the UNIX PC hackers out there interested in tackling this problem and coming up with a real solution? (By rights, AT&T ought to recognize this as a major bug and fix it, but given the status of the UNIX PC I'm not holding my breath.) [And can anyone out there tell me what on earth the developers of the UNIX PC were thinking of when they created this misfeature? Did they really think it so necessary to be able to provide root privileges at the drop of a hat that they thought it was worth creating a security hole the size of a barn door? Or did they just not know what they were doing? :-( ] --- Prentiss Riddle ("Aprendiz de todo, maestro de nada.") --- Opinions expressed are not necessarily those of my employer. --- riddle@woton.UUCP {ihnp4,harvard}!ut-sally!im4u!woton!riddle