From marcs@scanner.worldgate.com  Sun Jul 14 16:41:04 1996
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA11606
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 Jul 1996 16:41:03 -0700 (PDT)
Received: (from marcs@localhost) by scanner.worldgate.com (8.7.5/8.7.3) id RAA26793; Sun, 14 Jul 1996 17:41:02 -0600 (MDT)
Message-Id: <199607142341.RAA26793@scanner.worldgate.com>
Date: Sun, 14 Jul 1996 17:41:02 -0600 (MDT)
From: marcs@worldgate.com
Reply-To: marcs@worldgate.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ppp(8) man page suggests using shell script for login shell
X-Send-Pr-Version: 3.2

>Number:         1383
>Category:       docs
>Synopsis:       ppp(8) man page suggests using shell script for login shell
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 14 16:50:01 PDT 1996
>Closed-Date:    Mon Nov 4 17:39:14 PST 1996
>Last-Modified:  Mon Nov  4 17:39:54 PST 1996
>Originator:     Marc Slemko
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
>Environment:

FreeBSD 2.1.0-RELEASE, 2.1.5-RELEASE and current.

>Description:

Around line 465 of the ppp(8) man page source there is a suggested login 
shell to be used for PPP users:
	#!/bin/sh
	/usr/sbin/ppp -direct

It is a shell script.  That means there is some security risk in that
any user with the suggested shell script for their login shell can get
an interactive shell quite easily in most cases.  In itself, this is
not strictly a security hole but it is unexpected behavior to many
people.

>How-To-Repeat:

There are many potential problems; one trivial way to exploit the
problem is detailed below.

Create a user with the suggested shell script as their login shell.  

Then:

------------------------------------------------------------
$ telnet
telnet> environ define ENV /etc/shells
telnet> environ export ENV
telnet> open destination
Trying 192.168.0.1...
Connected to destination.
Escape character is '^]'.

FreeBSD (destination) (ttyp0)

login: user
Password:
Last login: Sun Jul 14 17:27:16 from source
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights
reserved.

Cannot fork
$
------------------------------------------------------------

The user now has a shell.  They can't immediately run any other
programs, since the various shells have started copy after copy until
the user's process limit was reached, but that is trivial to get
around.

>Fix:
	
Either:
	- document the possible security implications
	- change the sample script to a perl script (probably more
	  secure, but not really a great solution)
	- change the sample script to a C wrapper and possibly include
	  and/or install the source/binary as a separate file (probably 
	  the best solution)

Note that, IMHO, whatever script or wrapper is used should be sure to exec
ppp; no sense in having a program hanging around for no reason doing
nothing more than wait for ppp to exit.

>Release-Note:
>Audit-Trail:

From: J Wunsch <j@uriah.heep.sax.de>
To: marcs@worldgate.com
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/1383: ppp(8) man page suggests using shell script for login shell
Date: Mon, 15 Jul 1996 02:50:26 +0200 (MET DST)

 As marcs@worldgate.com wrote:
 
 > 	#!/bin/sh
 > 	/usr/sbin/ppp -direct
 
 > telnet> environ define ENV /etc/shells
 > telnet> environ export ENV
 > telnet> open destination
 > Trying 192.168.0.1...
 > Connected to destination.
 > Escape character is '^]'.
 > 
 > FreeBSD (destination) (ttyp0)
 > 
 > login: user
 > Password:
 > Last login: Sun Jul 14 17:27:16 from source
 > Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
 >         The Regents of the University of California.   All rights
 > reserved.
 > 
 > Cannot fork
 > $
 > ------------------------------------------------------------
 > 
 > The user now has a shell.
 
 ${ENV} and the missing -f option seems to be one of the biggest
 mistakes of the Korn shell.  The simple .cshrc and csh -f, more than
 10 years old, still look much more convenient.
 
 Seems like Dave Korn suffered from severe NIH.
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)
State-Changed-From-To: open->feedback 
State-Changed-By: scrappy 
State-Changed-When: Tue Oct 22 21:38:32 PDT 1996 
State-Changed-Why:  

Confirm Status 

From: J Wunsch <j@uriah.heep.sax.de>
To: FreeBSD-gnats-submit@freebsd.org, marcs@worldgate.com
Cc:  Subject: Re: docs/1383
Date: Thu, 31 Oct 1996 21:02:37 +0100 (MET)

 Improved sample script in rev. 1.19 of ppp.8, now that our Shell
 understands the -p flag.
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)
State-Changed-From-To: feedback->open 
State-Changed-By: scrappy 
State-Changed-When: Mon Nov 4 06:51:46 PST 1996 
State-Changed-Why:  

Problem Still Exists 
State-Changed-From-To: open->closed 
State-Changed-By: scrappy 
State-Changed-When: Mon Nov 4 17:39:14 PST 1996 
State-Changed-Why:  

Should have been closed according to J"org 
>Unformatted:
