dot in path (was Re: Mysterious security hole)

Dave Sill de5 at ornl.gov
Thu Jun 20 05:11:24 AEST 1991 

In article <22940 at ogicse.ogi.edu>, pochmara at ogicse.ogi.edu (John Pochmara) writes:
>
>	This *is* a "security hole".  Some directories are world
>	writable, have to be. ie. /tmp and /usr/tmp.  
>...
>	In short '.' should NOT be in roots' PATH and should be
>	at the end, if at all, is users PATH.

There is a potential problem with dot in root's path that doesn't
require world writable directories and isn't fixed by putting the dot
at the end.

Assume a user directory with the contents:

    Makefile
    atdr.c
    atdr.o
    dtae.c
    dtae.o
    dtae
    dtret.c
    dtret.o
    main.c
    main.o
    xfoobar
    etc.

Now suppose the user calls up the system administrator, who is known
to remain su'd to root most of the time, and requests help with make.
The user explains that when he updates a file, make fails to rebuild
everything it should.  The admin scans the Makefile, does an ls or
two, touches some files, checks the date, etc.  Of course, he's
careful not to run "make" or the user's program, and he's left dot out
of his path.  Eventually, he sees that a filename is mispelled, or
that there's a missing dependency, or whatever.  The user thanks him,
and that's that.  Right? 

Unless the admin happened to mistype "date" as "dtae" at some point.

Here's what's in the file "dtae":

#!/bin/sh
mkdir /tmp/$$
cp /bin/sh /tmp/$$/a.out
chmod u+s /tmp/$$/a.out
if user's shell is /bin/sh
then
    echo dtae: not found
elif user's shell is Bash
then
    echo dtae: command not found
elif user's shell is /bin/csh
then
    echo dtae: Command not found.
fi

Sure, that's an elaborate scenario, and it has a relatively low chance
of succeeding, unless the user happens to know the what kind of typing
errors the admin makes, but there's no reason why the user couldn't
put copies of dtae in all of his directories, and /tmp, and /usr/tmp,
etc.

To be really safe, don't do anything as root that doesn't have to be
and use full path names.  One could even make a /r directory and link
everything into it to reduce the typing overhead.  E.g.,

# /r/mount -a -t nfs
# /r/df
 :
# /r/reboot

-- 
Dave Sill (de5 at ornl.gov)	  Tug on anything in nature and you will find
Martin Marietta Energy Systems    it connected to everything else.
Workstation Support                                             --John Muir

More information about the Comp.unix.admin mailing list