/bin/sh: the biggest Unix security loophole (1984) [pdf] (opens in new tab)

(tuhs.org)

101 pointsvitplister1y ago54 comments

54 comments

I had the "joy" of watching some guys from Perforce setup a new p4 instance.

They confed /etc/sudoers so that the perforce user can run everything as root without providing a password. I told them that this is really a bad idea, and they pulled up one of their setup guides with "enhanced security hardening".

It ended up with ~35 specific entries for binaries in sudoers, one of them being /usr/sbin/setcap - which allows you to give e.g. the Python interpreter CAP_SETUID, making a privilege escalation to root trivial again.

dehrmann1y ago

We love to praise Unix, but it wasn't built for modern multi-user use. FUSE was an after-thought. So were package managers, and they got added, but they require root. Users aren't sandboxed, so they can see what others are doing. These were just off the top of my head.

Vogtinator1y ago

For multiple users on the same server it was IMO well designed. Everyone had their ~ and could place whatever libraries/binaries/etc. in there and do whatever they wanted.

Package managers are way more modern than that and their design does by itself not require root (see pip). You can in fact run most package managers without root, you just won't be able to modify system files. You can use them to install a chroot as regular user, e.g. `zypper --installroot ~/tw install bash`.

FUSE doesn't really relate to single vs. multi-user AFAICT.

Users are perfectly sandboxed if you configure the system that way. Depending on the distribution that's even the default.

IshKebab1y ago

Oh yeah? How can I install Clang using Apt without root?

2 more replies

jeroenhd1y ago

Unix was very much made for multi user environments. The problem with staying compatible with Unix today is that back when Unix came to be, everyone on the system was more or less trusted. The biggest security concern was making sure that everyone who was logged in was billed correctly.

On succifiently offline systems, you can still run software like that. It's quite freeing to have a server with 777 on your home directory when the biggest problem it'll cause is someone pranking you by altering your terminal color scheme to something hideous.

noinsight1y ago

> Unix was very much made for multi user environments. ... The biggest security concern was making sure that everyone who was logged in was billed correctly.

I don't know about that... It doesn't even support multiple administrators. And you can't even distinguish between actions performed by the system itself and the administrative user.

Yes I know about sudo.

What do you need to do and what do the (even audit) logs say about who performed an activity whenever administrative activity happens?

2 more replies

adrian_b1y ago

Multics had much more complex security, with access-control lists.

The authors of Unix have taken most of the concepts of an hierarchical file system from Multics, the main exception being the security features, which have been replaced with the simpler owner-group-all permission bits, together with features like setuid/setgid, which may be OK for simple use cases but which is inadequate for a system with many users, where not all of them can be trusted.

fph1y ago

Is multi-user use "modern"? Back in the days everyone shared the same mainframe, now I'd say most computer systems have a single user.

adrian_b1y ago

While most computers are personal computers, which have a single real human user, you still have to run a lot of untrusted programs, like the Internet browsers or whatever programs you might download from dubious sources.

While perhaps the term "user" is no longer the best, there is a need even more than before to run programs with limited rights, corresponding to the rights of some pseudo-users, which should not be able to access or modify anything belonging to the real human user, unless a special permission is granted.

2 more replies

Dwedit1y ago

Shared Web Hosting still uses multiple users.

anthk1y ago

Unix 2.0 (plan9/9front) has namespaces.

supriyo-biswas1y ago

Loopholes of this kind exist these days as well.

When I was working for a major retailer, who, you'd assume would have thought about these things well enough, you were prevented from executing sudo, except for being able to use it for text editing (sudo vi). I needed to install some packages with a root shell at the time, so I used the command execution feature within vi to get that.

netsharc1y ago

In the Middle Ages, when Internet access wasn't in your pocket all the time, I was in a hostel which had Internet kiosks, you'd put a coin in a machine, and the PC would start 2 browser windows: 1 with just a countdown, and one for you to browse. You'd have to put more coins or when the time ends the browser would be killed.

Of course there was nothing else in the UI except this window and the browser, but on ancient Firefox, in the print window you had the option to specify the command line to print. I tried "xterm", hit "Print", and voila, a prompt!

Using ps, I managed to figure out the difference between the unpaid browser and the paid one, and next time around I could launch a browsing session without payment...

lostlogin1y ago

This is excellent, and while I’m guessing that you could have paid, browsed and moved on with less effort, that wasn’t the point.

fargle1y ago

that's pretty low effort, so not really. but cool. win-win.

denysvitali1y ago

There's a collection of these binary escapes: https://gtfobins.github.io/

mingus881y ago

As someone who used to sysadmin and was well aware of this trick, sometimes a developer or dba will bully their way through leadership to make sure they never need to ask for permission to edit their configs

We all knew it was a bad idea but when your boss and their boss say do it, it’s done.

I’m pretty sure the dba (autocorrect magically suggested “diva” here) knew as well and just wanted a backdoor to have root for whatever they wanted.

I later busted the same team applying patches out of band with tripwire. Hey, wonder how you pulled that off…

josephcsible1y ago

Nobody should ever need permission to edit their own configs. E.g., if a box is used solely as a database server, then the DBAs should have full root to it.

fargle1y ago

they only needed a backdoor root because you're a gatekeeping dick and they wanted to get their job done without having to "deal" with your shit.

OMG. they applied unapproved patches! to the product they were responsible for making work.

mingus881y ago

lol, restricting administrative access to the administrators is pretty much a security best practice in every company everywhere.

Ever heard of the principle of least privilege?

They didn’t give me admin in the database and I don’t want it. They aren’t trained in the system and if you’ve ever seen what kind of mess a bunch of amateurs can make of a shared system you wouldn’t sound like such an idiot right now

Ill be sure to tell the auditors that they are gatekeeping dicks for requiring change management on the financial databases

1 more reply

NewJazz1y ago

Why were they applying patches? And what were they patching? What were the consequences when you busted them?

mingus881y ago

These were solaris 8 or 9 patches for some Oracle DB. Patch management back then was wild and conflicting patches could cause problems.

Of course there were no consequences for someone bypassing the approval process and doing unscheduled changes as root. Now, if my team had made those changes without running it past the DBAs...

saagarjha1y ago

My high school computer lab had an incredibly incompetent admin whose idea of security was to look through the bash history of problem students and go from there. Anyway, at one point they decided that someone had used cp to copy things to places they should’ve have been (did I mention they didn’t really understand UNIX permissions?) they decided to just remove cp altogether. So of course I made a fake cp (in Java, because that was all I knew at the time) to replace it.

tiberious7261y ago

My favorite is pressing '!' while inside a sudoed or setuid less.

more_corn1y ago

I once encountered a good anti sudo control. Execute sudo and you get a warning “log in as root instead!” Firstly, no Secondly did you just “prevent” sudo by aliasing it?

raffraffraff1y ago

Not too mention that you can edit anything you want, like the sudoers file.

FergusArgyll1y ago

That's like a beginner level CTF! sheesh

akimbostrawman1y ago

I would assume sudoedit could have preventing that

mixdup1y ago

Setting aside all of the technical aspects of this, the history of this in the world of UNIX, I just love the process and bureaucracy that generated this specific paper document. The very formal cover sheet (and the fact that it had an accompanying, separate, numbered instruction document), the pre-determined layout and format of a Technical Memorandum, and the fact that this was published as such a memorandum with filing and control numbers that will be researched and looked up in a library instead of just a blog or post on Medium

We used to be a real society

somytomy1y ago

Depends where you work. Judging from reading HN, 95% of all devs here are writing webshitapps for companies that don't give a flying eff about development, just profits. I develop embedded hardware for tier 1 automotive manufacturers, and we have to adhere to several ISO standards, and a number of tools for managing documentation and code hygiene. Traceability of requirements, security, functional safety, and risk assessments are associated with every single decision and every single code commit. It is a lot of documentation, but I'm a pedant and I love it. It is a design process for adults, by adults.

mixdup1y ago

Yeah, this kind of memo and process probably still exists at places like NASA as well

teddyh1y ago

> They did not invent UNIX but they try harder

I fear that this reference to an old Avis advertising slogan may be lost to a modern audience.

0xbadcafebee1y ago

It's the same today, only it's webapps instead of unix utilities. Simplest bugs in the world, still devs don't pay attention to them. Simple like not sanitizing inputs, injecting stuff straight into sql queries or exec commands, dumping customer data / passwords / all environment variables into logs and error messages, etc.

pengaru1y ago

Wow, they even used the accurate term "crackers", I feel so old.

nayuki1y ago

Indeed. I learned from reading the jargon file in ~2005: http://catb.org/jargon/html/C/cracker.html , http://catb.org/jargon/html/H/hacker.html

gonzo1y ago

If enough time passes and we don’t die, we get old.

1984 was 40 years ago.

0xbadcafebee1y ago

It's nice to know that when I was born, there was a guy just like me, writing snarky annoyed memos about the stupid security holes in our systems.

athrowaway3z1y ago

>Ritchie is the inventor of the elegant setuid concept, for which a patent was awarded.

Do organization still apply for these kind of patents?

fargle1y ago

yes. most very large corps. that like to keep patent portfolios will encourage engineers to patent (assigned to the co. of course) anything slightly creative or unusual. or sometimes anything at all that sounds slightly technical.

the engineer gets his name on the patent and maybe a bit of prestige. the org gets another (sometimes bad) patent in the portfolio.

skimming the patent https://patents.google.com/patent/US4135240A/en it seems actually pretty well drafted and pretty good (patentable).

zahlman1y ago

Interesting piece of history. The actual exploit techniques have a real flavour of SQL injection about them.

chrisding1y ago

Interesting piece of history.

j / k navigate · click thread line to collapse

54 comments

panki271y ago

I had the "joy" of watching some guys from Perforce setup a new p4 instance.

dehrmann1y ago

Vogtinator1y ago

For multiple users on the same server it was IMO well designed. Everyone had their ~ and could place whatever libraries/binaries/etc. in there and do whatever they wanted.

FUSE doesn't really relate to single vs. multi-user AFAICT.

Users are perfectly sandboxed if you configure the system that way. Depending on the distribution that's even the default.

IshKebab1y ago

Oh yeah? How can I install Clang using Apt without root?

2 more replies

jeroenhd1y ago

noinsight1y ago

> Unix was very much made for multi user environments. ... The biggest security concern was making sure that everyone who was logged in was billed correctly.

I don't know about that... It doesn't even support multiple administrators. And you can't even distinguish between actions performed by the system itself and the administrative user.

Yes I know about sudo.

What do you need to do and what do the (even audit) logs say about who performed an activity whenever administrative activity happens?

2 more replies

adrian_b1y ago

Multics had much more complex security, with access-control lists.

fph1y ago

Is multi-user use "modern"? Back in the days everyone shared the same mainframe, now I'd say most computer systems have a single user.

adrian_b1y ago

2 more replies

Dwedit1y ago

Shared Web Hosting still uses multiple users.

anthk1y ago

Unix 2.0 (plan9/9front) has namespaces.

supriyo-biswas1y ago

Loopholes of this kind exist these days as well.

netsharc1y ago

Using ps, I managed to figure out the difference between the unpaid browser and the paid one, and next time around I could launch a browsing session without payment...

lostlogin1y ago

This is excellent, and while I’m guessing that you could have paid, browsed and moved on with less effort, that wasn’t the point.

fargle1y ago

that's pretty low effort, so not really. but cool. win-win.

denysvitali1y ago

There's a collection of these binary escapes: https://gtfobins.github.io/

mingus881y ago

We all knew it was a bad idea but when your boss and their boss say do it, it’s done.

I’m pretty sure the dba (autocorrect magically suggested “diva” here) knew as well and just wanted a backdoor to have root for whatever they wanted.

I later busted the same team applying patches out of band with tripwire. Hey, wonder how you pulled that off…

josephcsible1y ago

Nobody should ever need permission to edit their own configs. E.g., if a box is used solely as a database server, then the DBAs should have full root to it.

fargle1y ago

they only needed a backdoor root because you're a gatekeeping dick and they wanted to get their job done without having to "deal" with your shit.

OMG. they applied unapproved patches! to the product they were responsible for making work.

mingus881y ago

lol, restricting administrative access to the administrators is pretty much a security best practice in every company everywhere.

Ever heard of the principle of least privilege?

Ill be sure to tell the auditors that they are gatekeeping dicks for requiring change management on the financial databases

1 more reply

NewJazz1y ago

Why were they applying patches? And what were they patching? What were the consequences when you busted them?

mingus881y ago

These were solaris 8 or 9 patches for some Oracle DB. Patch management back then was wild and conflicting patches could cause problems.

Of course there were no consequences for someone bypassing the approval process and doing unscheduled changes as root. Now, if my team had made those changes without running it past the DBAs...

saagarjha1y ago

tiberious7261y ago

My favorite is pressing '!' while inside a sudoed or setuid less.

more_corn1y ago

I once encountered a good anti sudo control. Execute sudo and you get a warning “log in as root instead!” Firstly, no Secondly did you just “prevent” sudo by aliasing it?

raffraffraff1y ago

Not too mention that you can edit anything you want, like the sudoers file.

FergusArgyll1y ago

That's like a beginner level CTF! sheesh

akimbostrawman1y ago

I would assume sudoedit could have preventing that

mixdup1y ago

We used to be a real society

somytomy1y ago

mixdup1y ago

Yeah, this kind of memo and process probably still exists at places like NASA as well

teddyh1y ago

> They did not invent UNIX but they try harder

I fear that this reference to an old Avis advertising slogan may be lost to a modern audience.

0xbadcafebee1y ago

pengaru1y ago

Wow, they even used the accurate term "crackers", I feel so old.

nayuki1y ago

Indeed. I learned from reading the jargon file in ~2005: http://catb.org/jargon/html/C/cracker.html , http://catb.org/jargon/html/H/hacker.html

gonzo1y ago

If enough time passes and we don’t die, we get old.

1984 was 40 years ago.

0xbadcafebee1y ago

It's nice to know that when I was born, there was a guy just like me, writing snarky annoyed memos about the stupid security holes in our systems.

athrowaway3z1y ago

>Ritchie is the inventor of the elegant setuid concept, for which a patent was awarded.

Do organization still apply for these kind of patents?

fargle1y ago

the engineer gets his name on the patent and maybe a bit of prestige. the org gets another (sometimes bad) patent in the portfolio.

skimming the patent https://patents.google.com/patent/US4135240A/en it seems actually pretty well drafted and pretty good (patentable).

zahlman1y ago

Interesting piece of history. The actual exploit techniques have a real flavour of SQL injection about them.

chrisding1y ago

Interesting piece of history.

j / k navigate · click thread line to collapse