From nobody@www.freebsd.org  Thu Jun 20 07:00:37 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 77B4237B404
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jun 2002 07:00:37 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5KE0ahG034407
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 20 Jun 2002 07:00:36 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5KE0aUC034406;
	Thu, 20 Jun 2002 07:00:36 -0700 (PDT)
Message-Id: <200206201400.g5KE0aUC034406@www.freebsd.org>
Date: Thu, 20 Jun 2002 07:00:36 -0700 (PDT)
From: Vasil Dimov <vd@etrade.bg>
To: freebsd-gnats-submit@FreeBSD.org
Subject: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
X-Send-Pr-Version: www-1.0

>Number:         39573
>Category:       bin
>Synopsis:       uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 20 07:10:03 PDT 2002
>Closed-Date:    Thu Jun 27 00:21:09 PDT 2002
>Last-Modified:  Thu Jun 27 00:21:09 PDT 2002
>Originator:     Vasil Dimov
>Release:        4.6-STABLE
>Organization:
eTrade.bg
>Environment:
FreeBSD vihren.etrade.xx 4.6-STABLE FreeBSD 4.6-STABLE #0: Mon Jun 17 15:38:29 EEST 2002     root@vihren.etrade.xx:/usr/src/sys/compile/VIHREN  i386

>Description:
all the scripts named install.sh in the 4.6-disc1.iso
MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35
use the same check to ensure the caller is uid 0:

if [ "`id -u`" != "0" ]; then
        echo "Sorry, this must be done as root."
	exit 1
fi

which can be easily passed by nonuid0 users, probably
causing "Permission denied" in the following commands.

if this check is needed at all it should be fixatored
to something more unpassable.

>How-To-Repeat:
assuming we are in the cdrom root dir

$ ./bin/install.sh
Sorry, this must be done as root.
$

$ echo "echo 0" > ~/bin/id
$ chmod 700 ~/bin/id
$ export PATH=~/bin:$PATH

$ ./bin/install.sh
You are about to extract the base distribution into / - are you SURE
you want to do this over your installed system (y/n)? n
$

>Fix:
`id -u`

should be changed to:

`/usr/bin/id -u`

this is not so obviously to pass, yeah

>Release-Note:
>Audit-Trail:

From: Ceri Davies <setantae@submonkey.net>
To: Vasil Dimov <vd@etrade.bg>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
Date: Thu, 20 Jun 2002 15:57:06 +0100

 On Thu, Jun 20, 2002 at 07:00:36AM -0700, Vasil Dimov wrote:
 
 > all the scripts named install.sh in the 4.6-disc1.iso
 > MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35
 > use the same check to ensure the caller is uid 0:
 > 
 > if [ "`id -u`" != "0" ]; then
 >         echo "Sorry, this must be done as root."
 > 	exit 1
 > fi
 > 
 > which can be easily passed by nonuid0 users, probably
 > causing "Permission denied" in the following commands.
 > 
 > $ echo "echo 0" > ~/bin/id
 > $ chmod 700 ~/bin/id
 > $ export PATH=~/bin:$PATH
 > 
 > $ ./bin/install.sh
 > You are about to extract the base distribution into / - are you SURE
 > you want to do this over your installed system (y/n)? n
 
 If you really want to go to all that trouble to circumvent the id check
 then you deserve all you get.
 
 Note that there's nothing to prevent a normal user running the "meat" of
 install.sh on their own anyway :
 
 	cat bin.?? | tar --unlink -xpzf - -C ${DESTDIR:-/}
 
 but it won't get them far.
 
 In short, the id check isn't intended as a security measure, it's just a
 polite reminder that you're about to waste your time if you aren't already
 root.
 
 Ceri
 
 -- 
 you can't see when light's so strong
 you can't see when light is gone

From: Ceri Davies <setantae@submonkey.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
Date: Thu, 20 Jun 2002 17:19:18 +0100

 --/04w6evG8XlLl3ft
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 
 Adding to audit trail.
 I believe this PR can be closed, but I'll leave it open for someone else to
 comment on.
 
 Ceri
 
 -- 
 you can't see when light's so strong
 you can't see when light is gone
 
 --/04w6evG8XlLl3ft
 Content-Type: message/rfc822
 Content-Disposition: inline
 
 Return-path: <admin@mail.etrade.bg>
 Envelope-to: setantae@submonkey.net
 Delivery-date: Thu, 20 Jun 2002 16:19:36 +0100
 Received: from shaft.techsupport.co.uk ([212.250.77.214])
 	by rhadamanth.submonkey.net with esmtp (Exim 3.36 #1)
 	id 17L3ii-000OSc-00
 	for setantae@submonkey.net; Thu, 20 Jun 2002 16:19:36 +0100
 Received: from [213.174.11.68] (helo=etrade.bg)
 	by shaft.techsupport.co.uk with smtp (Exim 3.36 #1)
 	id 17L3if-0007yS-00
 	for setantae@submonkey.net; Thu, 20 Jun 2002 16:19:34 +0100
 Received: (qmail 2879 invoked from network); 20 Jun 2002 15:19:27 -0000
 Received: from vihren.etrade.xx (10.19.82.30)
   by kamenica.etrade.xx with QMQP; 20 Jun 2002 15:19:27 -0000
 Received: (nullmailer pid 99880 invoked by uid 1000);
 	Thu, 20 Jun 2002 15:19:27 -0000
 Date: Thu, 20 Jun 2002 18:19:27 +0300
 From: Vasil Dimov <vd@etrade.bg>
 To: Ceri Davies <setantae@submonkey.net>
 Cc: freebsd-gnats-submit@FreeBSD.org
 Subject: Re: bin/39573: uid 0 check in install.sh in 4.6-disc1.iso can be circumvented
 Message-ID: <20020620151927.GA99859@vihren.etrade.xx>
 References: <200206201400.g5KE0aUC034406@www.freebsd.org> <20020620145706.GA93638@submonkey.net>
 Mime-Version: 1.0
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 In-Reply-To: <20020620145706.GA93638@submonkey.net>
 User-Agent: Mutt/1.3.99i
 
 On Thu, Jun 20, 2002 at 03:57:06PM +0100, Ceri Davies wrote:
 > On Thu, Jun 20, 2002 at 07:00:36AM -0700, Vasil Dimov wrote:
 > 
 > > all the scripts named install.sh in the 4.6-disc1.iso
 > > MD5 (4.6-disc1.iso) = 99666e6f33820af3b060734203202e35
 > > use the same check to ensure the caller is uid 0:
 > > 
 > > if [ "`id -u`" != "0" ]; then
 > >         echo "Sorry, this must be done as root."
 > > 	exit 1
 > > fi
 > > 
 > > which can be easily passed by nonuid0 users, probably
 > > causing "Permission denied" in the following commands.
 > > 
 > > $ echo "echo 0" > ~/bin/id
 > > $ chmod 700 ~/bin/id
 > > $ export PATH=~/bin:$PATH
 > > 
 > > $ ./bin/install.sh
 > > You are about to extract the base distribution into / - are you SURE
 > > you want to do this over your installed system (y/n)? n
 > 
 > If you really want to go to all that trouble to circumvent the id check
 > then you deserve all you get.
 > 
 > Note that there's nothing to prevent a normal user running the "meat" of
 > install.sh on their own anyway :
 > 
 > 	cat bin.?? | tar --unlink -xpzf - -C ${DESTDIR:-/}
 > 
 > but it won't get them far.
 > 
 > In short, the id check isn't intended as a security measure, it's just a
 > polite reminder that you're about to waste your time if you aren't already
 > root.
 > 
 > Ceri
 > 
 > -- 
 > you can't see when light's so strong
 > you can't see when light is gone
 > 
 
 yes, ofcourse, this is not a security issue at all,
 but more a philosophy question:
 `should it be done in the more "secure"(/usr/bin/id) or portable(id) way?'
 
 if `id' (for some reason) is not located in /usr/bin/, /usr/bin/id will not work.
 
 => just calling `id' is the right way.
 
 tnx for the time wasted.
 
 --/04w6evG8XlLl3ft--
State-Changed-From-To: open->closed 
State-Changed-By: cjc 
State-Changed-When: Thu Jun 27 00:19:58 PDT 2002 
State-Changed-Why:  
The check is not a security feature. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39573 
>Unformatted:
