[Bug 331043] New: Su allows echo from stdin when no other distro I can find does.
https://bugzilla.novell.com/show_bug.cgi?id=331043 Summary: Su allows echo from stdin when no other distro I can find does. Product: openSUSE 10.3 Version: Final Platform: Other OS/Version: openSUSE 10.3 Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: fm0nk3y@yahoo.co.uk QAContact: qa@suse.de Found By: --- As the title says I think this is a major security flaw. After checking with another distro I find that this command won't work but does on Suse 10.3. echo "passwd" | su -c ifconfig Now on the surface this doesn't seem that bad but when it turns in to something like this for i in `egrep '^.{5,5}$' /var/lib/dict/words`; { echo $i | sed 's/o/0/g' | su -c ifconfig;} I hope you can see my concerns, so my question is this a design detail or a slip as having had some feedback I also find this is applicable to 10.1. I also suspect 10.2 and a few other versions. If this is a design detail may ask the reason as I for one can't see a reasoning to allow su to take the passwd from stdin. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de AssignedTo|bnc-team-screening@forge.provo.novell.com |security-team@suse.de Component|Basesystem |Security -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c1 Henk van Velden <henk.vanvelden@xs4all.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |henk.vanvelden@xs4all.nl --- Comment #1 from Henk van Velden <henk.vanvelden@xs4all.nl> 2007-10-06 12:14:04 MST --- The same for 10.2 And this is a security leak. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c2 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2007-10-08 02:05:43 MST --- su uses pam's standard misc_conv function to acquire the password. Even if that one wouldn't read from stdin but from the tty only you could still use e.g. 'expect' to script entering the password. So I don't share the security concerns. If you don't trust your users you can try pam_wheel or pam_tally to restrict use of 'su'. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c3 --- Comment #3 from S cLARKE <fm0nk3y@yahoo.co.uk> 2007-10-08 05:15:35 MST --- Your not the first person to tell me how to get around it, now I'm fully aware howto, thats not been my question. Do a simple search for passing password to su in google, you'll find many references to it not being possible with out as you put it other means(Or use Suse). Surely one extra fence is better than one less, no? Surely this isn't just users so your saying that if I wished to use external connections like ssh etc, that the security on Suse isn't good enough as default? And then and I'll have to force my users via other means. I think if nothing else you should make your users aware, as I see an easy way to escalate users rights to root, if using things like ssh. I find it really strange for a distro that prides it self on security finds this behaviour acceptable yet many other distro's don't. But I suspect this we'll end here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c4 --- Comment #4 from S cLARKE <fm0nk3y@yahoo.co.uk> 2007-10-08 05:27:14 MST --- I've yet to be given one good reason why its needed? So far its because of some pam's standard misc_conv function so change it from standard. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c5 --- Comment #5 from Henk van Velden <henk.vanvelden@xs4all.nl> 2007-10-08 10:01:56 MST --- As said: when tty is used you could use 'expect' to still do the same. We did it in a script changing password by the 'password' command on several *nix OS's. So when there is one way you could realy ask how important it is to block a similar way. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c6 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> 2007-10-09 05:49:44 MST --- I'd like to highlight the usage of "echo |" and "expect" a bit (at least the usage I expect). The fact that "expect" can still feed the password to su it isn't really relevant IMHO because: - "expect" is usually not used by newbies, and experts hopefully know what they are risking - you can call any password prompt (root password? encrypted partition? SSH key passphrase? GPG key passphrase?) useless when arguing with expect. - you can even consider passwords useless at all if people have physical access to the machine (hint: init=/bin/bash) OTOH, "echo password | su" can be easily run by newbies. - It's the next "logical" step after learning what the pipe does - I don't think everybody who can use the pipe knows about the security risks when passing along the password this way - "echo password | su" might even end up in the bash history Summary: If su wouldn't read STDIN, 90% of the people [cw]ouldn't use this insecure way. Only the remaining 10% (or even less) know about expect. Additionally, most of these 10% won't take the risk and/or know better solutions (like allowing a specific command to run passwordless with sudo). So there will be a risk reduction of >90% with this change. We all know that it's nearly impossible to have a 100% secure system, so let's at least have a 90% secure one ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043#c7 Ralph Jones <rjones@scribbleware.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rjones@scribbleware.net --- Comment #7 from Ralph Jones <rjones@scribbleware.net> 2007-10-09 14:25:10 MST --- This also leaves vulnerable the careless user who writes a script for convenience and leaves a plain text fingerprint of their own, or others (including root) passwords. It's not impossible (or even improbable) Joe User decides to automate a few commands in a script, echoes some passwords to su in the script, but doesn't pay attention to the read permissions of the scriptfile. Later, Becky User comes along, sees the new scriptfile and gets curious... because she may have similar group permissions, reads the file and bingo... just learned a new password. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=331043 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=331043#c8 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX --- Comment #8 from Ludwig Nussel <lnussel@novell.com> 2008-03-06 09:50:25 MST --- Behavior will stay as is for now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com