Path: utzoo!attcan!uunet!munnari!basser!boyd
From: boyd@basser.oz (Boyd Roberts)
Newsgroups: comp.unix.wizards
Subject: Re: System V.2.2 setuid() broken
Summary: FLAME-------->*ON*
Message-ID: <1312@basser.oz>
Date: 15 Jul 88 05:43:16 GMT
References: <5968@umn-cs.cs.umn.edu> <2820@ttidca.TTI.COM> <58603@sun.uucp> <3475@sequent.UUCP> <59537@sun.uucp> <1305@basser.oz> <3942@rpp386.UUCP>
Reply-To: boyd@basser.oz (Boyd Roberts)
Organization: Dept of Comp Sci, Uni of Sydney, Australia
Lines: 46

In article <3942@rpp386.UUCP> jfh@rpp386.UUCP (The Beach Bum) writes:
>this `feature' prevents a trojan horse from doing a
>
>	if (getuid () == 0) {
>		setuid (0);
>		chown ("/bin/sh", 0, 0);
>		chmod ("/bin/sh", 04711);
>	}
>
>thereby giving you the famed password free su command.
>

No, you have just _lost_ BIG.  How do I become root with this _alleged_
trojan horse.  Are we saying that our systems are full of holes?  I
think we are.  Are we not?

Security violations usually occur due to bad file-system permissions
or dozey setuid programs.  Think about ex*preserve, back a while.

If getuid() returns 0, I AM ROOT, dammit.  I AM _REALLY_ ROOT.
When I am _really_ root I can do anything I damn please, except
on System V.  Check out the System V exec code, where it does the
setuid (gid) stuff.  It is broken.

System V setuid() is severly broken.  Here I am, _really_ root,
but _effectively_ some dumb mortal (back in the _old_days_ root
was not affected by setuid (gid) bits) and I can't set my real
and effective uid to my real uid.  Surely some mistake.

It is NOT the UNIX way to systematically break the kernel to
support paranoid delusions of grandeur.  Security hole, trojan
horse... don't make me laugh.  Where are the kernel hacks of
yesteryear who actually _understood_ the kernel?

At times like these I reach for my V6 source listing and
read the code.  In those days the original implementors
_knew_ the deal and did the _job_.  It _never_ ceases to amaze
me at what comes out of AT&T (USG?).

Come System 5.5 and I'll be satisfied.  OS/360 written in C.


Boyd Roberts			boyd@basser.cs.su.oz
				boyd@necisa.necisa.oz

``When the going gets wierd, the weird turn pro...''