Mailinglist Archive: opensuse (4749 mails)

< Previous Next >
Re: [SLE] Root PATH
  • From: Anders Johansson <andjoh@xxxxxxxxxx>
  • Date: Mon, 12 May 2003 01:18:37 +0200
  • Message-id: <200305120118.37807.andjoh@xxxxxxxxxx>
On Monday 12 May 2003 01:05, Thomas Jones wrote:
> On Sunday 11 May 2003 17:06, Anders Johansson wrote:
> > On Monday 12 May 2003 00:05, Thomas Jones wrote:
> > > PATH=$USER/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin
> >
> > yikes. So a malicious user on your system would create /tmp/root/bin/cp
> >
> > or some other common command, and just wait. Not a good idea to have
> > relative paths in $PATH
>
> ahhh..hhhahhh.
>
> But how different is /root and /tmp/root?

One is world writeable, the other isn't.

>
> Upon using $USER/bin how does the shell interpret this?

if you're logged in as root, it will be interpreted as "root/bin". Note
there's no leading /. That makes the path relative.

> It will call upon
> the $USER decalaration. This is not a configurable option. I can't just go
> into my .profile and alter my $USER declaration to make me root. IT
> regardless won't give me any mroe permissions. It is all based off the UID.

indeed.

>
> A user could just compile a "malicious" binary from say "fdisk".

I was thinking more along the lines of

cp /bin/bash /tmp/.hiddensuidbash
chmod u+s /tmp/.hiddensuidbash

followed by running the real program, to avoid immediate suspicion. A classic
trojan. A similar incident is described in Practical Unix & Internet
Security, only there it was an admin with . in the path. The end result is
the same.

> And rename
> it to "cp". But, how is that any different than calling it like this:
>
> tjones@suse:/tmp> ./cp
>
> It's exactly the same. No difference.

You, as the system admin, are logged in as root. Casually, you go to /tmp to
copy some backup you've just restored (or whatever).

cd /tmp
cp /mnt/nfsshare/myBackUp .

which cp will be executed? Which will be executed if you run ./cp ? I think
there's a difference. If you actually type out ./ there's a good chance you
know which binary you're running.


< Previous Next >
Follow Ups