Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!amdahl!rtech!llama!daveb From: daveb@llama.rtech.UUCP (It takes a clear mind to make it) Newsgroups: comp.emacs Subject: Re: Is GNU Cause of Security Problems??? Summary: LBL cracker tracker blames movemail, looks like a real hole + FIX Message-ID: <2086@rtech.UUCP> Date: 14 May 88 05:41:06 GMT References: <8805102131.AA00798@icst-cmr.arpa> Sender: news@rtech.UUCP Reply-To: daveb@rtech.UUCP (It takes a clear mind to make it) Organization: Relational Technology, Inc. Alameda, CA Lines: 105 Someone wrote: > Nothing in gnu Emacs is suid root (or anything else), nor is anything > default world writable. Gnu should be no more "dangerous" than any > other program. I've just gotten my May CACM, and I'm passing this on for those who haven't gotten it. There is a real problem, fix enclosed below. The seed of this discussion was the attribution that the West German cracker got root privs on an LBL machine from Gnu Emacs. The beginning of the article say "We captured all his keystrokes on a printer and saw how he used a subtle bug in the Gnu-Emacs text editor to obtain system-manager privileges." Leaks of this assertion prompted statements like the above "there is nothing setuid", and discussions about chmoding the executables to be non-writable (good advice, by the way.) the truth points at a real bug, caused by incorrect installation. Later the article says "typical of the security holes he exploited was a bug in the Gnu-Emacs program. This popular, versatile text editor includes its own mail system, allowing a user to forward a file to another user. As distributed, the program uses the UNIX Set-User-ID-to_root feature; that is, a section of the program runs with system-manager priveleges. This movemail facility allows the user to change file ownership and move files into another's directory. Unfortunately, the program did not prevent someone from moving a file into the systems area. Aware of this hole, the intruder created a shell script that, when executed at the root level, would grant him system priveleges. He used the movemail facility to rename his script as a utility periodically run by the system. When the script was executed by the system, he gained system-manager priveleges." No, movemail doesn't NEED to run as root, but often does. From INSTALL: * rmail gets error getting new mail rmail gets new mail from /usr/spool/mail/$USER using a program called movemail. This program interlocks with /bin/mail using the protocol defined by /bin/mail, which involves creating a lock file. It must be able to write in /usr/spool/mail in order to do this. my mail directory is: drwxrwxr-x 2 root wheel 2048 May 13 21:53 /usr/spool/mail/ so you could be setgid wheel instead of setuid root. However, the installation instructions don't say what to do, and it appears that some people (like me) take the easy way out... -rwsr-xr-x 1 root 18432 Aug 13 1986 etc/movemail* My 17.49 movemail.c has some stuff from Barry at BU to address the problem. I seem to recall he posted it, and it unfortunaely seems to have missed the official distribution: /* BZS 7/28/86 - to run suid we need to check permissions on files */ if(!insecure(inname) || !outsecure(outname)) fatal("Permission Denied"); /**/ and insecure(sp) char *sp; { struct stat st; if(stat(sp,&st) < 0) return(0); return(st.st_uid == getuid()); } outsecure(sp) char *sp; { char *cp; struct stat st; char buf[1024]; char *rindex(); strcpy(buf,sp); sp = buf; if((cp = rindex(sp,'/')) != 0) *cp = '\0'; else strcpy(sp,"."); if(stat(sp,&st) < 0) return(0); if((st.st_mode & S_IFDIR) == 0) return(0); return(!access(sp,W_OK)); } In contrast, the 18.51 code suggests it could be suid root, works around one of the downstream problems, but ignores the fundamental insecurity. #if defined(BSD) || defined(XENIX) /* In case movemail is setuid to root, make sure the user can read the output file. */ /* This is desirable for all systems but I don't want to assume all have the umask system call */ umask (umask (0) & 0333); #endif /* BSD or Xenix */ Barry's code should be put into your release if you have CACM readers at your site, and should be added to the regular distribution. The INSTALL and PROBLEMS files should say specifically how to install movemail, using setgid instead of suid. -dB {amdahl, cpsc6a, mtxinu, sun, hoptoad}!rtech!daveb daveb@rtech.uucp