From das@FreeBSD.org  Mon Jun  2 10:13:45 2003
Return-Path: <das@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E7D7037B401
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Jun 2003 10:13:45 -0700 (PDT)
Received: from HAL9000.homeunix.com (ip232.bella-vista.sfo.interquest.net [66.199.86.232])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5EE0543F3F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  2 Jun 2003 10:13:45 -0700 (PDT)
	(envelope-from das@FreeBSD.org)
Received: from HAL9000.homeunix.com (localhost [127.0.0.1])
	by HAL9000.homeunix.com (8.12.9/8.12.5) with ESMTP id h52HDiqG002296;
	Mon, 2 Jun 2003 10:13:44 -0700 (PDT)
	(envelope-from das@FreeBSD.org)
Received: (from das@localhost)
	by HAL9000.homeunix.com (8.12.9/8.12.5/Submit) id h52HDieu002295;
	Mon, 2 Jun 2003 10:13:44 -0700 (PDT)
	(envelope-from das@FreeBSD.org)
Message-Id: <20030602171344.GA2249@HAL9000.homeunix.com>
Date: Mon, 2 Jun 2003 10:13:44 -0700
From: David Schultz <das@FreeBSD.org>
To: Lee Brotherston <lee@nerds.org.uk>
Cc: freebsd-gnats-submit@FreeBSD.org
In-Reply-To: <20030602161606.GA26694@nerds.org.uk>
Subject: Re: PR misc/41179 [gnats had better file this correctly this time]
References: <200207302036.g6UKamu9051791@www.freebsd.org> <20030601181850.GA946@HAL9000.homeunix.com> <20030602161606.GA26694@nerds.org.uk>

>Number:         52872
>Category:       misc
>Synopsis:       Re: PR misc/41179 [gnats had better file this correctly this time]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 02 10:20:12 PDT 2003
>Closed-Date:    Mon Jun 02 16:05:59 PDT 2003
>Last-Modified:  Wed Aug 13 13:08:37 PDT 2003
>Originator:     David Schultz
>Release:        
>Organization:
>Environment:
>Description:
 On Mon, Jun 02, 2003, Lee Brotherston wrote:
 > > If you su to root from the account of an untrusted user, you're
 > > asking for trouble anyway.  There are many documented cases of
 > > people breaking root this way, and you don't even need to fiddle
 > > with LD_LIBRARY_PATH.  The untrusted user just sets his PATH to
 > > include a fake version of su(1) that records root's password,
 > > prints ``Sorry'', and spawns the real su(1).  The correct thing to
 > > do is to use su(1) only from trusted accounts.
 > 
 > True, it was this sort of thinking that made me ponder this in the
 > first place.  My thinking was that although this can be achieved as
 > described, LD_LIBRARY_PATH is less checked than PATH and so is a little
 > stealthier, maybe I'm wrong.
 > 
 > I suspect that not implementing a security feature because there's
 > already a similar, easier way to compromise the machine isn't the best
 > reason not to do it ;)
 
 The trojan su trick can be done quite stealthily.  Many users
 already have $HOME/bin in their path, so all they need to do is
 make a $HOME/bin/su that records passwords.  An even stealthier
 tactic is to trojan the shell.  The bottom line is that if a
 user's account is compromised and someone su's to root from that
 account, the root account can be easily compromised.  In fact,
 even if your LD_LIBRARY_PATH check were implemented, an attacker
 could easily construct a trojanned binary that skipped the check.
 
 So I'm not convinced that preventing one of many avenues for such
 an attack is worthwhile.  On the other hand, you're more than
 welcome to submit patches, and others may agree with you on this
 matter.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ceri 
State-Changed-When: Mon Jun 2 16:04:38 PDT 2003 
State-Changed-Why:  
Misfiled followup to misc/41179 [content migrated]. 

As for "Subject: Re: PR misc/41179 [gnats had better file this correctly  
this time]", you need to s/PR// ;^) 


Responsible-Changed-From-To: gnats-admin->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Mon Jun 2 16:04:38 PDT 2003 
Responsible-Changed-Why:  
Take from gnats-admin. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52872 
>Unformatted:
