LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-10-2004, 06:23 AM   #1
prabhatsoni
Member
 
Registered: Oct 2004
Location: India
Distribution: FC 12
Posts: 233

Rep: Reputation: 30
insecurity in suid-to-root


It has been heard a lot of times that the set uid to root opens the doors wide open hackers and crackers. Inexplicabley (to me ) it is so patent to others that no explaination is avaibale. Can any one enlighten a green horn like me as to how a uis to root is insecure.

-Prabhat Soni
 
Old 11-10-2004, 02:37 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
When you set UID root (suid) on a particular file, that means that any commands executed from that file will have root privileges. If the file is a shell script and an attacker can figure out a way to inject commands into that shell script, it can then be run with root privileges and do things like change the root password, create new users, copy the password shadow file, etc. If the file is a binary file, exploits are still possible, for instance if there's a buffer overflow condition possible, an attacker can trigger the buffer overflow and have the program in memory execute their code with root privileges.

The fewer suid root files you have, the less chance they can be exploited. suid shell scripts are especially dangerous since it's easy to get permissions wrong (or some other program might be able to write to them) and thus it's very easy to inject commands into them.
 
Old 11-10-2004, 03:21 PM   #3
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
There is no such thing as suid root.

Woo.. everyone looks on in shock!

That common misnomer that floats around the unix/linux world from time to time. SUID stands for Set User ID. The purpose of this permission flag is to allow an executable to run with the permission of the files owner rather than the user that is executing the file. If the executable file is owned by 'bubba', 'tom' ,'bin' or whatever.. suid bit does just as it's supposed which is cause the executable to execute with the privileges of the owner not the user. And if the executable file is owned by root and has the suid bit set then guess what.. it will execute with root privileges.

Shell script suid bits have not been honored by the Linux kernel for many years now. I don't know the history of every unix kernel so your mileage my vary depending on the OS you are using. Even perl scripts are refused the suid bit action unless you have a special perl mod installed.. perl-suid or some such. You can set the suid bit.. the kernel will just choose to ignore you.

So. Why is an executable (other than a script) that is both owned by root and suid bad? Not all are. You just have to know what you are doing and code the executable so that it is "fool proof". An example of a really bad idea would be to set some executables like cat, chown, chmod, so on as suid since they are owned by root.

Lets say I set chown as suid. This file is owned by root so now any user could call chown and it would run as if root had called it. Any user could change the owner of any file on the system. This would allow them access to any file. Chmod that is suid would allow any user to change the permissions of any file on the system. Not a very secure environment.

Feel free to copy chmod to the tmp directory and set it suid. Then log on as a normal unprivileged user and see how you can now use chmod to mod the permissions of files you would normally not have access to. Just remember to not let anyone else on the system while you are experimenting and delete the insecure copy of chmod when you are done.

That's just the tip of the problem. There is also the case were a program is not coded securely but has suid set and the owner is root. Chort has already given hints as to why this could be a problem.

We speak mostly of root because this is the worse case.. root is king.. but the problem can be just as bad if the owner is anyone other than the user. If you owned a executabe and it was suid there is always the potential another user can use that file to view, modify, delete any file that you own.

-b
 
Old 11-13-2004, 03:03 AM   #4
prabhatsoni
Member
 
Registered: Oct 2004
Location: India
Distribution: FC 12
Posts: 233

Original Poster
Rep: Reputation: 30
Hello everybody,
Thanks for everything. My query was relevant to binary files only. I was of the view that a C program duly compiled and then suid to root could not be exploited. But it seems that even that can be exploited. A few more lines about this buffer overflow loophole (How they do it)would be highely appreciated. Anybody there ?

Thanks in advance.

Prabhat Soni
 
Old 11-13-2004, 03:39 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
A buffer overflow is only one example. Other common problems are string format attacks and return into libc exploits. All of these problems are caused by sloppy programming, especially in C since there's no garbage collection or enforced bounds checking (or automatic memory allocation).

If you want to understand how the attacks work (in depth), you could read the book Hacking: The Art of Exploitation by Jon Ericson. There are also several books availble on how to write secure code and secure coding practices.
 
Old 11-13-2004, 03:57 AM   #6
perfect_circle
Senior Member
 
Registered: Oct 2004
Location: Athens, Greece
Distribution: Slackware, arch
Posts: 1,783

Rep: Reputation: 53
the buffer overflow attack was used for the fist time ( not sure but i think so) by Robert Morris and the infamous internet worm back in 1988 to get access using the finger server. But it became well known by the moderator of the bugtraq mailing list, Aleph One who wrote an article for Phrack Magazine explaining what this attack is. The article is titled Smashing the Stack for fun and Profit
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
smbmnt must be installed suid root figadiablo Linux - Networking 29 08-09-2007 11:12 PM
How to put artswrapper suid root? jayhel Slackware 2 09-19-2005 08:43 AM
Only root can do that! (but i made it SUID root ?) qwijibow Linux - General 4 07-07-2004 10:51 AM
xterm installs suid root? infamous41md Linux - Security 2 01-18-2004 12:08 PM
how to set artswrapper suid root ? chokecherry Linux - General 3 11-27-2003 03:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration