SUMMARY: WARNINGS: How to mount /pcfs without root privileges ?

From: Chris Metcalf (metcalf@catfish.LCS.MIT.EDU)
Date: Thu May 05 1994 - 03:12:52 CDT


(This is a repost of my earlier message. Someone pointed out that if it
was worth archiving, the word SUMMARY should be present in the Subject---
and setuid security seems to be something not nearly well enough understood.
My apologies to the list for absent-mindedly not including SUMMARY.)

> How to mount /pcfs without root privileges ?

Nearly all of the answers provided here allow a user to get root access
in under a minute.

> [1] setuid scripts.

There are several ways to hijack shell scripts.

The most entertaining is to symlink "-i" to a shell script and then run
the resulting "-i" script to get an interactive shell; using "-b" in a
csh script header or "-" in a sh script avoids this particular approach.
(Note that Sun's csh won't let you run setuid without a -b.)

In general one can take advantage of the fact that there is a lag between
when the shell specified in the script starts, and when the shell itself
reads the script. For example, if you create a symlink to a setuid shell
script and execute from the symlink, you can replace the symlink with
a script of your own during the window before the shell reads the script
(this usually requires careful timing and many attempts, but is likely
to succeed in the end).

In any case, many systems (though not SunOS 4.x; I don't know about 5.x)
don't perform the setuid change on scripts, which keeps people from
making these mistakes. I believe setuid Perl scripts can be run safely,
via the taintperl binary, and even on systems that have disabled setuid
shell scripts.

> [2] setuid programs.
>
> This is similar to above, though more secure.
> Write a quick and dirty C program to do it. This way you
> get around the security risk of a setuid script.

In fact, the examples provided in this section are even LESS secure than
the shell scripts provided (which used csh -b scripts).

> main ()
> {
> system ("/etc/mount /pcfs") ;
> }

Since system() invokes /bin/sh, all you need to do is set IFS to
"/", create a script of your own named "etc", and run this binary.
Your "etc" script will run as root (with arguments "mount pcfs").
Similarly, one creates a "usr" script if system() is invoked with
"/usr/etc/mount_pcfs"..., of course.

> Here is one other provided by danny@ews7.dseg.ti.com
>
> ...
> system ("mount /pcfs");

Here, of course, the user just needs to set their PATH to start with ".",
place a script named "mount" in the current directory, and run the setuid
binary; the user's "mount" script will get run as root.

> [3] PD software

For this specific situation, mtools is almost always the right answer.
I rarely bother to mount floppies; I just mcopy and mtype to them.

In general, I recommend "sudo" or "op" for allowing users to do
well-controlled operations that require root privilege.

If you want to use a simple C program to do it, you want something
like this. Notice that the binary does *not* use system(), but rather
the essentially uncompromisable execve(), straight to the kernel.
(Slightly more efficient than execle(), too!)

    /*
     * Make this binary setuid to run mount as root.
     */
    
    char *envp[] = {
            "HOME=/",
            "LOGNAME=root",
            "PATH=/usr/etc:/usr/ucb:/usr/bin",
            "SHELL=/bin/sh",
            "TERM=dumb",
            "USER=root",
            0
    };
    
    char *argv[] = { "mount", "/pcfs", 0 };
    
    main()
    {
            return execve("/usr/etc/mount", argv, envp);
    }

                        Chris Metcalf, MIT Laboratory for Computer Science
                        metcalf@cag.lcs.mit.edu // +1 (617) 253-7766



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:09:00 CDT