LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-31-2011, 04:50 AM   #1
lumiao
LQ Newbie
 
Registered: May 2011
Posts: 1

Rep: Reputation: Disabled
What Risk Does World Writable Executable File Owned by Root Pose?


Hi

I have some questions on UNIX. Grateful if anyone can help.

If the 'OTHERS' category or WORLD can write to a directory that contains a WORLD writable, readable and executable file owned by root (-rwxrwxrwx), can a user of the system plant a Trojan Horse (malicious script) and execute it?

If he can execute the script, would the script run with permissions of the root user or the permissions of the user?

If the script can only run with the permissions of the user, can the user make changes such that the script can run wth root privilege such that system integrity can be compromised?

Thank you.
 
Old 05-31-2011, 05:19 AM   #2
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Quote:
Originally Posted by lumiao View Post
Hi

I have some questions on UNIX. Grateful if anyone can help.

If the 'OTHERS' category or WORLD can write to a directory that contains a WORLD writable, readable and executable file owned by root (-rwxrwxrwx), can a user of the system plant a Trojan Horse (malicious script) and execute it?
Well. The user will be able to edit the file, but, since the script will run under the effective UID of the current -unprivileged- user, it can only do the things the user would be able to do, and nothing else. So, the user can't just modify the script to run something like "cp -R /root/* $HOME" and run it to fetch the root files. However, this is still a very high risk unless you truly trust your user(s) for the reason I will explain below.

Quote:
If he can execute the script, would the script run with permissions of the root user or the permissions of the user?
Already cleared that out above. The script will run with the UID of the current user, with independence of the owner.

Quote:
If the script can only run with the permissions of the user, can the user make changes such that the script can run wth root privilege such that system integrity can be compromised?
Not easily, but as said above, the user won't be able to do what I said above (just an example), but s/he can still modify the file, and wait for you (the root user) to innocently run the modified script. And this time, he might be able to do the bad thing. This will be worse if there are lots of users with different degrees of power in your system.

Note that this is just an example. The user might be able to attack in some other ways. For example, if he's in the apache groups he could inject some php code to do some harm if there's a vulnerability. Again, a random example, any daemon could be susceptible from this kind of attack. Another thing to worry about is your sudo configuration.
 
1 members found this post helpful.
Old 05-31-2011, 05:29 AM   #3
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,363

Rep: Reputation: 135Reputation: 135
Quote:
If the 'OTHERS' category or WORLD can write to a directory
May be a sticky directory as /tmp
Quote:
If the 'OTHERS' category or WORLD can write to a directory that contains a WORLD writable, readable and executable file owned by root (-rwxrwxrwx), can a user of the system plant a Trojan Horse (malicious script) and execute it?
Yes, he can execute it, but it depend upon how the other user has permsions on the files that affects by the executable script because the script is owned by root not by the user..
Quote:
If he can execute the script, would the script run with permissions of the root user or the permissions of the user?
It will run on the permission of the user, not root.

Quote:
If the script can only run with the permissions of the user, can the user make changes such that the script can run wth root privilege such that system integrity can be compromised?
As I said if the directory is a sticky directory, you cant do any kind of modification to the file. If not a sticky direcory unless the executable has suid applied, you cant run it with root previleges..

Last edited by divyashree; 05-31-2011 at 05:30 AM.
 
Old 06-01-2011, 02:01 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,247

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
Just to expand on that last, suid on a file is not recognised by the kernel for 'scripting' langs, only compiled executables.
 
Old 06-01-2011, 02:36 AM   #5
markush
Senior Member
 
Registered: Apr 2007
Location: Germany
Distribution: Slackware
Posts: 3,979

Rep: Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850
Hello together,

the worst case I can think of is that a user modifies a program or script (which he/she can do because of the global writing-permissions), but root does not know about the changes and runs the script with root-permissions. Example: if a normal user has write permissions to the /sbin directory, he may replace the rm command with a modified version which by default runs with the -rf option.

Markus
 
1 members found this post helpful.
Old 06-01-2011, 10:30 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 7,480

Rep: Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376
If you have a world-writable file owned by root, then I can replace its contents with any rogue program that I want to run with root's privileges.
 
1 members found this post helpful.
Old 06-02-2011, 01:35 AM   #7
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,363

Rep: Reputation: 135Reputation: 135
Quote:
Originally Posted by sundialsvcs View Post
If you have a world-writable file owned by root, then I can replace its contents with any rogue program that I want to run with root's privileges.
If sticky is applied on the dir, where the file is , will you able to do that ?
 
Old 06-02-2011, 03:10 AM   #8
markush
Senior Member
 
Registered: Apr 2007
Location: Germany
Distribution: Slackware
Posts: 3,979

Rep: Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850Reputation: 850
Quote:
Originally Posted by divyashree View Post
If sticky is applied on the dir, where the file is , will you able to do that ?
As far as I understood, the OP didn't mention that for the considered directory the sticky-bit is set.

You are right, with the /tmp directory there is no problem.

But if you make any directory global writeable without setting the sticky-bit you will have the security issues described above.

Markus
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hard disk encryption halves your available storage - does this also pose a risk? JacekZ Linux - Security 3 02-26-2011 12:09 PM
How to find root owned world writable files? pinga123 Linux - Newbie 23 10-14-2010 08:30 AM
BlackBerrys pose 'security risk' say UAE authorities Jeebizz Linux - News 0 07-26-2010 09:40 AM
root-owned file is able to be deleted with my non-root account win32sux Linux - Security 3 11-18-2008 03:00 AM
Make a file owned by root owned by a user sharpie Linux - Newbie 2 02-26-2004 02:26 AM


All times are GMT -5. The time now is 12:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration