Re: shells refusing to run set[ug]id

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Marc W. Mengel: "Re: /etc/utmp"
• Previous message: der Mouse: "shells refusing to run set[ug]id"
• In reply to: der Mouse: "shells refusing to run set[ug]id"
• Next in thread: Peter Wemm: "Re: sendmail exploit script - resend"

> I can't speak for their authors, but I always thought they were
> designed to keep people from using set[ug]id shell scripts (which as I
> hope everyone here knows, are usually a big security hole). 

In the "early" days of unix cracking, a very common strategy was to
obtain a copies of the shell executable with the setuid bit on, owned
by some other user who's files one wished to invade, or most favorably,
the super user.  It isn't a terribly sophisticated attack by today's
standards.  Certain bugs in the OS (expreserve, timex) were used to
create one of these setuid shells, or alternately, the good old trojan
horse could be used.  

By causing a shell to reset, or fail, if its real and effective uids do
not match, this sort of attack is slightly more difficult.  While certainly
not perfect, it may thwart or delay the more inept attacker.

Gregg Siegfried
grs@claircom.com

• Next message: Marc W. Mengel: "Re: /etc/utmp"
• Previous message: der Mouse: "shells refusing to run set[ug]id"
• In reply to: der Mouse: "shells refusing to run set[ug]id"
• Next in thread: Peter Wemm: "Re: sendmail exploit script - resend"