It is interesting to see that old problems with set-uid commands keep coming back. Allow me to speed up the discussion a bit by enumerating a few other channels for attack on set-uid commands. A quick perusal of /usr/include/sys/proc.h reveals a large number of "inputs" that a child process may inherit from a potentially untrusted parent process. The list includes, but is not limited to: command-line array environment array open files current directory blocked/enabled signals pending timers resource limits scheduling priority All these sources of data can be, and have been, involved in attacks on set-uid or set-gid commands (although I do not remember specific details of pending timer attacks). In addition to these "inheritance" attacks which are specific to set-uid and set-gid commands, set-uid and set-gid commands can be exposed to attacks via the /proc interface, and can be exposed to ordinary data-driven attacks by feeding them nasty inputs. Thus, set-uid and set-gid commands are exposed to a lot more attack types than your average network service. The reason that network attacks get more attention is simply that are more opportunities to exploit them. Wietse
This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 12:07:49 PDT