various little tidbits

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMike Starke at <-
Mder.hans at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hans
Date:  
Subject: various little tidbits
Am 11. Aug, 2003 schw=E4tzte Alan Dayley so:

> On Monday 11 August 2003 08:13 pm, der.hans wrote:
> > I always setup my $PATH to have all the sbin dirs. It's not a security
> > problem. Keep '.' out of your $PATH. If you have to have it in there ma=
ke
> > sure it's the last entry.
>
> Why is it not a security concern?

Do you mean s/not// on that sentence?

I'll presume so.

df
ps
uptime

The shell looks for commands in the directories in your $PATH, in the order
listed in $PATH.

If you have $PATH setup properly you'll (probably) end up with the followin=
g:

/bin/df
/bin/ps
/usr/bin/uptime

Now try 'fred'. For most of us that should end up in a command not being
found. Some of us might have a 'fred' in ~/bin or ~/lokal/bin.

Then there are people like me that have freds lying around all over the
place from one-off tests that didn't get deleted. If that one-off test
happened to be "rm -rf ~/" I won't be too happy about it going off.

Now what if you happen to be in someone else's directory and they have a df
something like the following.

$ cat /tmp/df
#!/bin/sh

touch /tmp/mybackdoor
chmod 7777 /tmp/mybackdoor

df "$@"


That'll create a file owned by you that is setuid and writable by anyone. 

$ sh /tmp/df
Filesystem           1K-Bl=F6cke   Benutzt Verf=FCgbar Ben% Eingeh=E4ngt au=
f
/dev/hda2             38811848  21367652  17444196  56% /
$ ls -l /tmp/mybackdoor
-rwsrwsrwt    1 lufthans lufthans        0 2003-08-11 22:19 /tmp/mybackdoor


It's actually not too dangerous for shell scripts because setuid is ignored=
,
but 'touch /tmp/mybackdoor' could easily be 'cp .hidden/mybackdoor
/tmp/mybackdoor', where mybackdoor is a small binary wrapper for something
else.


> Why have it as the last entry?

If dot is first you'll call ./df before calling /bin/df, which definitely
sets you up. At least with dot as the last entry you should only get nailed
on non-existent commands. Then again, how many people typo stuff on a
regular basis? :)

ciao, 

der.hans
--=20
#  https://www.LuftHans.com/    http://www.AZOTO.org/
#  "Communications without intelligence is noise;
#  Intelligence without communications is irrelevant."
#  Gen. Alfred. M. Gray, USMC



This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-bochsvarious little tidbits->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)