Subject: Re: security issues with passing environment vars through su
To: Greywolf <greywolf@starwolf.com>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 09/16/2003 15:05:08
[ On Tuesday, September 16, 2003 at 11:44:56 (-0700), Greywolf wrote: ]
> Subject: Re: /etc/rc.d scripts and $PATH
>
> Thus spake Greg A. Woods ("GAW> ") sometime Today...
>
> GAW> When I looked closely at the one value I really liked having inherited
> GAW> most I realized it was perhaps the most dangerous one of all: $ENV
>
> "Dangerous to your starfleet, Commander, NOT to this Battle Station!" :-)
>
> [to each their own; I exercise personal responsibility as each case
> permits, which means that I, and -not my OS-, is responsible for
> this sort of security/insecurity.
Yeah, well the problem is that you are indeed 100% responsible for this
sort of security and that means unless you do as I've done then you have
to treat your personal account as if it were facing the same threats the
root account is, because it _is_! (i.e. everyone has to treat every
account in the wheel group with as much, or more, care and attention to
every niggling tiny little detail as they treat the root account)
I decided I needed to eliminate some of the most dangerous of those
concerns since I realized I was unlikely to be able to successfully
discipline myself to always use a non-wheel member account any time I
did anything risky (such as read my incoming e-mail or browse the WWW or
even do DNS lookups).
Forcing 'su' to clear the environment seems, at least on first analysis,
to eliminate many of the automatic vectors possible for a trojan to
ride piggy-back without my noticing. Of course there's still the risk
of a trojan'ed "su" program, but that's only one thing to have to look
out for instead of an innumerable number of potential risks.
> That said, if there's a flag to alter
> the behaviour, great, but I personally find the typical non-BSD behaviour
> of 'su' to be completely out of line. That, though, is the result of
> having been "born and raised" on BSD :-).]
Well if you ever have the occasion to use a system I've configured, and
the privilege to be in the wheel group on that system, then you will not
be allowed to automatically pass your shell environment to your root
shell. There will be no if's, and's, or but's about it -- it just will
not be permitted at all, ever, and any attempt to subvert this (or any
other) protective measure will result in immediate loss of access. :-)
> MINOR nit: ENV is only going to be a problem if your scripts end up using
> it
No, ENV is a problem if it is set (at least so long as root's shell is
any shell which honours it, aka /bin/sh and /bin/ksh on base NetBSD).
Period.
The same applies to $HOME if your root shell is of the C Shell variety.
$PATH is right out too.
$EDITOR and $VISUAL have similar risks as well.
$OLDPWD may even be risky, though that's one I'm still thinking about
because it could really help eliminate the only complaint I have with my
fix to "su".
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>