Solaris SignalsFeb 12 2003 03:21AM Jon Masters (jonathan jonmasters org) (1 replies)
Re: Solaris SignalsFeb 13 2003 11:44AM Frank v Waveren (fvw var cx) (1 replies)
On Wed, Feb 12, 2003 at 03:21:49AM +0000, Jon Masters wrote:
> We all know that old chestnut about tracing setuid programs or scripts,
> but what about non-setuid scripts which have been installed for users and
> given execute only permission. For example, a lot of sites provide scripts
> for users to run which perform some admin related function and thus have
> usernames or passwords within them - potentially free to users.
Making programs execute-only is no security for such things unless you
add a lot of weird-and-definately-not-wonderful special cases all over
the OS. Even if you stop programs from dumping core if
access(executable, R_OK), you can still do LD_PRELOAD/LD_LIBRARY tricks
and get access to the process' memory (or just log all library or system
calls which gets you all the interesting stuff too, usually), and with
a little creativity there's plenty of other ways to get around lack of
read rights.
--
Frank v Waveren Fingerprint: 21A7 C7F3
fvw@[var.cx|stack.nl|chello.nl] ICQ#10074100 1FF3 47FF 545C CB53
Public key: hkp://wwwkeys.pgp.net/fvw (at) var (dot) cx [email concealed] 7BD9 09C0 3AC1 6DF2
> We all know that old chestnut about tracing setuid programs or scripts,
> but what about non-setuid scripts which have been installed for users and
> given execute only permission. For example, a lot of sites provide scripts
> for users to run which perform some admin related function and thus have
> usernames or passwords within them - potentially free to users.
Making programs execute-only is no security for such things unless you
add a lot of weird-and-definately-not-wonderful special cases all over
the OS. Even if you stop programs from dumping core if
access(executable, R_OK), you can still do LD_PRELOAD/LD_LIBRARY tricks
and get access to the process' memory (or just log all library or system
calls which gets you all the interesting stuff too, usually), and with
a little creativity there's plenty of other ways to get around lack of
read rights.
--
Frank v Waveren Fingerprint: 21A7 C7F3
fvw@[var.cx|stack.nl|chello.nl] ICQ#10074100 1FF3 47FF 545C CB53
Public key: hkp://wwwkeys.pgp.net/fvw (at) var (dot) cx [email concealed] 7BD9 09C0 3AC1 6DF2
[ reply ]