From mboxrd@z Thu Jan 1 00:00:00 1970 From: michael@kjorling.se (Michael =?utf-8?B?S2rDtnJsaW5n?=) Date: Sun, 26 Feb 2017 19:39:27 +0000 Subject: [TUHS] EMACS movemail suid root bug In-Reply-To: References: <20170226124657.GB21079@yeono.kjorling.se> <20170226170543.GA21831@yeono.kjorling.se> <22DFC2A3-0279-43FD-BBD6-9A1BF32E5E80@tfeb.org> Message-ID: <20170226193927.GE21831@yeono.kjorling.se> On 26 Feb 2017 14:19 -0500, from jim at deitygraveyard.com (Jim Carpenter): > No problem to sent a file from your area to mine. But you'd better not > be able to move a file into the protected systems area: only the system > manager is allowed there. Stallman's software had better make sure this can't > happen. > > Gnu didn't check. It let anyone move a file into protected systems > space. The hacker knew this; we didn't. That agrees well with my translated version. So in a sense, everything that the Emacs movemail (thanks Tim) bug allowed you to do was _really_ enabled by the fact that there existed a user SOMEONE, for which ~SOMEONE was a directory, _used at least in part for privileged purposes by the operating system_, to which ordinary users were expected to not have any write access? Consequently, if system (as opposed to regular user) accounts had had a home directory set to something else, some place where it didn't really matter if an unprivileged user was able to drop files, then that bug would have been a nuisance (giving random users the ability to take up disk space unaccounted for, requiring clean-up) but not really the problem it became? Looking at my modern Debian system, I see users in /etc/passwd with home directories like /bin, /usr/sbin, /var/spool/postfix, /proc, /var/run/sshd, within but not actually /etc, ... So in effect, we are still to a large degree relying on people not making the same kind of mistake that was made in movemail when writing code that runs suid root. I know that anything running as suid root is potentially very dangerous, but that seems like a trivial mitigative strategy. (When was the last time anyone logged in as "daemon" on a modern Linux system, let alone needed their home directory then to be /usr/sbin?) -- Michael Kjörling • https://michael.kjorling.se • michael at kjorling.se “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup)