Path: utzoo!mnetor!uunet!husc6!rutgers!clyde!cbosgd!mandrill!hal!ncoast!allbery
From: allbery@ncoast.UUCP (Brandon Allbery)
Newsgroups: comp.unix.wizards
Subject: Re: ITS translations: security problem?
Message-ID: <7198@ncoast.UUCP>
Date: 6 Feb 88 17:51:53 GMT
References: <1495@osiris.UUCP: <2126@haddock.ISC.COM> <1497@osiris.UUCP> <704@PT.CS.CMU.EDU> <1424@gumby.mips.COM> <9690@tekecs.TEK.COM> <16008@think.UUCP>
Reply-To: allbery@ncoast.UUCP (Brandon Allbery)
Followup-To: comp.unix.wizards
Organization: Cleveland Public Access UN*X, Cleveland, Oh
Lines: 75

[Why the H*LL was this crossposted to comp.arch?!  EVERYTHING in unix.wizards
ends up crossposted there -- maybe they should be merged?!  ++bsa]

As quoted from <16008@think.UUCP> by barmar@think.COM (Barry Margolin):
+---------------
| In article <9690@tekecs.TEK.COM> andrew@frip.gwd.tek.com (Andrew Klossner) writes:
| >	  So you add s|^/bin/rm$|/user/me/bin/rm| to your
| >	translation list."
| >
| >What about the security implications?  Under Unix, I could use these
| >translations to spoof setuid programs, e.g., make my own /etc/passwd
| >then invoke /bin/su.
| 
| However, to answer your question about how this could be done in Unix,
| the answer is to not inherit translations in setuid processes.
+---------------

Probably a good idea anyway, but then you get into a very un-Unixy idea:
separate translations per-process, per-user-id, and per-system.  This would,
on the other hand, be more general than just suppressing translations for
setuid programs.

I don't think filename translations of this type are a good answer to the
original problem; too much rope for a user to hang (his/her/it)self with.
The generalized mount from the LAST time we discussed this still sounds best
to me; add a restriction that the mount must be on a directory writeable by
the user to close the security hole, which is otherwise the same as with
translations (mount .breakin /etc).  Possibly also the directory should be
empty, although this limits its usefulness over networks (NFS/RFS).  (Note
that the writeable-directory restriction would be too expensive to apply to
filename translations, but for the mount call it's cheap.)
-- 
	      Brandon S. Allbery, moderator of comp.sources.misc
       {well!hoptoad,uunet!hnsurg3,cbosgd,sun!mandrill}!ncoast!allbery
KABOOM!!! Worf: "I think I'm sick." LaForge: "I'm sure half the ship knows it."
Newsgroups: comp.unix.wizards,comp.arch
Subject: Re: ITS translations: security problem?
References: <1495@osiris.UUCP: <2126@haddock.ISC.COM> <1497@osiris.UUCP> <704@PT.CS.CMU.EDU> <1424@gumby.mips.COM> <9690@tekecs.TEK.COM> <16008@think.UUCP>
Reply-To: allbery@ncoast.UUCP (Brandon Allbery)
Followup-To: comp.unix.wizards
Distribution: 
Organization: Cleveland Public Access UN*X, Cleveland, Oh

As quoted from <16008@think.UUCP> by barmar@think.COM (Barry Margolin):
+---------------
| In article <9690@tekecs.TEK.COM> andrew@frip.gwd.tek.com (Andrew Klossner) writes:
| >	  So you add s|^/bin/rm$|/user/me/bin/rm| to your
| >	translation list."
| >
| >What about the security implications?  Under Unix, I could use these
| >translations to spoof setuid programs, e.g., make my own /etc/passwd
| >then invoke /bin/su.
| 
| However, to answer your question about how this could be done in Unix,
| the answer is to not inherit translations in setuid processes.
+---------------

Probably a good idea anyway, but then you get into a very un-Unixy idea:
separate translations per-process, per-user-id, and per-system.  This would,
on the other hand, be more general than just suppressing translations for
setuid programs.

I don't think filename translations of this type are a good answer to the
original problem; too much rope for a user to hang (his/her/it)self with.
The generalized mount from the LAST time we discussed this still sounds best
to me; add a restriction that the mount must be on a directory writeable by
the user to close the security hole, which is otherwise the same as with
translations (mount .breakin /etc).  Possibly also the directory should be
empty, although this limits its usefulness over networks (NFS/RFS).  (Note
that the writeable-directory restriction would be too expensive to apply to
filename translations, but for the mount call it's cheap.)
-- 
	      Brandon S. Allbery, moderator of comp.sources.misc
       {well!hoptoad,uunet!hnsurg3,cbosgd,sun!mandrill}!ncoast!allbery
KABOOM!!! Worf: "I think I'm sick." LaForge: "I'm sure half the ship knows it."