Hi

I have some questions on UNIX. Grateful if anyone can help.

If the 'OTHERS' category or WORLD can write to a directory that contains a WORLD writable, readable and executable file owned by root (-rwxrwxrwx), can a user of the system plant a Trojan Horse (malicious script) and execute it?

If he can execute the script, would the script run with permissions of the root user or the permissions of the user?

If the script can only run with the permissions of the user, can the user make changes such that the script can run wth root privilege such that system integrity can be compromised?

Thank you.

Well. The user will be able to edit the file, but, since the script will run under the effective UID of the current -unprivileged- user, it can only do the things the user would be able to do, and nothing else. So, the user can't just modify the script to run something like "cp -R /root/* $HOME" and run it to fetch the root files. However, this is still a very high risk unless you truly trust your user(s) for the reason I will explain below.

Already cleared that out above. The script will run with the UID of the current user, with independence of the owner.

Not easily, but as said above, the user won't be able to do what I said above (just an example), but s/he can still modify the file, and wait for you (the root user) to innocently run the modified script. And this time, he might be able to do the bad thing. This will be worse if there are lots of users with different degrees of power in your system.

Note that this is just an example. The user might be able to attack in some other ways. For example, if he's in the apache groups he could inject some php code to do some harm if there's a vulnerability. Again, a random example, any daemon could be susceptible from this kind of attack. Another thing to worry about is your sudo configuration.

1 members found this post helpful.

May be a sticky directory as /tmp
Yes, he can execute it, but it depend upon how the other user has permsions on the files that affects by the executable script because the script is owned by root not by the user..
It will run on the permission of the user, not root.

As I said if the directory is a sticky directory, you cant do any kind of modification to the file. If not a sticky direcory unless the executable has suid applied, you cant run it with root previleges..

Just to expand on that last, suid on a file is not recognised by the kernel for 'scripting' langs, only compiled executables.

Hello together,

the worst case I can think of is that a user modifies a program or script (which he/she can do because of the global writing-permissions), but root does not know about the changes and runs the script with root-permissions. Example: if a normal user has write permissions to the /sbin directory, he may replace the rm command with a modified version which by default runs with the -rf option.

Markus

1 members found this post helpful.

If you have a world-writable file owned by root, then I can replace its contents with any rogue program that I want to run with root's privileges.

1 members found this post helpful.

If sticky is applied on the dir, where the file is , will you able to do that ?

As far as I understood, the OP didn't mention that for the considered directory the sticky-bit is set.

You are right, with the /tmp directory there is no problem.

But if you make any directory global writeable without setting the sticky-bit you will have the security issues described above.

Markus

1 members found this post helpful.