From nobody  Thu Mar 13 04:48:57 1997
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id EAA25660;
          Thu, 13 Mar 1997 04:48:57 -0800 (PST)
Message-Id: <199703131248.EAA25660@freefall.freebsd.org>
Date: Thu, 13 Mar 1997 04:48:57 -0800 (PST)
From: phillip@pm.cse.rmit.edu.au
To: freebsd-gnats-submit@freebsd.org
Subject: "man 5 passwd" suggests use of a shell script for (INSECURE) messaging
X-Send-Pr-Version: www-1.0

>Number:         2978
>Category:       docs
>Synopsis:       "man 5 passwd" suggests use of a shell script for (INSECURE) messaging
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 13 04:50:01 PST 1997
>Closed-Date:    Thu Mar 13 18:41:58 PST 1997
>Last-Modified:  Thu Mar 13 18:44:36 PST 1997
>Originator:     Phillip Musumeci
>Release:        3.0 SNAP (January 1997), 2.1.5R, 2.1.6R
>Organization:
RMIT Computer Systems Eng. Dept.
>Environment:
3.0-970114-SNAP
>Description:
     shells remapped and therefore be denied access.  All other NIS password
     records will be ignored. The administrator may add a wildcard entry to
     the end of the list such as:
           +:::::::::/usr/local/bin/go_away
     <snip>
     /usr/local/bin/go_away can be a short shell or program...
>How-To-Repeat:
     man 5 passwd
>Fix:
We should not suggest that a shell script be run for users that
we are trying to STOP being able to use a system.  A nasty user
might attempt to suspend the shell script before it terminated
(or executed some trap commands to handle being suspended) and
so STILL LOG IN.
>Release-Note:
>Audit-Trail:

From: j@uriah.heep.sax.de (J Wunsch)
To: phillip@pm.cse.rmit.edu.au
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: docs/2978: "man 5 passwd" suggests use of a shell script for (INSECURE) messaging
Date: Thu, 13 Mar 1997 22:37:57 +0100

 As phillip@pm.cse.rmit.edu.au wrote:
 
 > We should not suggest that a shell script be run for users that
 > we are trying to STOP being able to use a system.  A nasty user
 > might attempt to suspend the shell script before it terminated
 > (or executed some trap commands to handle being suspended) and
 > so STILL LOG IN.
 
 And?  This would kill or stop his login shell.  What can he do with a
 stopped login shell?
 
 No, running a shell script (more correctly: an `interpreted
 executable' in the sense of execve(2)) is something vastly different
 from giving the user a shell, and stupidly trying to force something
 on him in the .profile.
 
 The only known security exploit per se (i.e., apart from stupidity of
 the shellscript writer) for an interpreted executable shellscript by
 now was to spam the script with $ENV (e.g. by importing it from a
 telnet session), for example abusing /etc/shells.  This hole has been
 plugged by cloning the -p option from the Korn shell, thus causing the
 script to ignore $ENV entirely.
 
 -- 
 cheers, J"org
 
 joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
 Never trust an operating system you don't have sources for. ;-)

From: Phillip Musumeci <phillip@pm.cse.rmit.edu.au>
To: joerg_wunsch@uriah.heep.sax.de
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: docs/2978: "man 5 passwd" suggests use of a shell script for (INSECURE) messaging
Date: Fri, 14 Mar 1997 09:58:32 +1100 (EST)

 OK (I just had a look for the "-p" switch but couldn't see it).  
 
 I guess I was reacting to this suggestion in the man page from the point of
 view of a sunos user of years gone by, where we treated shell script
 replacements for an actual shell as something not much different to a
 normal shell (from an access point of view).
 
 Sorry to cause any worries.
 phillip

From: Marc Slemko <marcs@znep.com>
To: J Wunsch <j@uriah.heep.sax.de>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: docs/2978: "man 5 passwd" suggests use of a shell script for (INSECURE) messaging
Date: Thu, 13 Mar 1997 17:55:10 -0700 (MST)

 On Thu, 13 Mar 1997, J Wunsch wrote:
 
 > The following reply was made to PR docs/2978; it has been noted by GNATS.
 >  
 >  The only known security exploit per se (i.e., apart from stupidity of
 >  the shellscript writer) for an interpreted executable shellscript by
 >  now was to spam the script with $ENV (e.g. by importing it from a
 >  telnet session), for example abusing /etc/shells.  This hole has been
 >  plugged by cloning the -p option from the Korn shell, thus causing the
 >  script to ignore $ENV entirely.
 
 The problem is that when you say "shell script" most people don't think
 "/bin/sh script with -p" and most people don't recognize the potential
 vulnerability.  I think it would be a reasonable to include a warning. 
 Something like the below, although I don't have the time right now to word
 it nicely and my *roff is a bit rusty...
 
 Index: passwd.5
 ===================================================================
 RCS file: /usr/cvs/src/share/man/man5/passwd.5,v
 retrieving revision 1.11
 diff -c -r1.11 passwd.5
 *** passwd.5	1997/02/22 13:26:05	1.11
 --- passwd.5	1997/03/14 00:48:00
 ***************
 *** 290,296 ****
   .Pa /usr/local/bin/go_away
   can be a short shell script or program
   that prints a message telling the user that he is not allowed access
 ! to the system. This technique is sometimes useful when it is
   desirable to have the system be able to recognize all users in a
   particular NIS domain without necessarily granting them login access.
   .Pp
 --- 290,302 ----
   .Pa /usr/local/bin/go_away
   can be a short shell script or program
   that prints a message telling the user that he is not allowed access
 ! to the system. If you use a shell script be sure to use the
 ! .Pa -p
 ! option to
 ! .Pa /bin/sh
 ! (see 
 ! .Xr sh 1 
 ! for details).  This technique is sometimes useful when it is
   desirable to have the system be able to recognize all users in a
   particular NIS domain without necessarily granting them login access.
   .Pp
 
 
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Thu Mar 13 18:41:58 PST 1997 
State-Changed-Why:  
Fixed in rev 1.15 of passwd.5.  I added some text regarding 
security issues when using shell scripts as the login shell. 
>Unformatted:
