[TUHS] The evolution of Unix facilities and architecture

[clemc@ccc.com (Clem Cole)]

Interesting...   I don't remember Gettys being at the meeting (I would get
to know Jim a few years later when he was at Princeton before he came back
to MIT to work on X) and he's a been a friend of mine for a number of years
(actually lives in the next town over).

I do not remember all the details of the bug at this point, to many beers
ago; but yes the jist of the issue was being able to write to user memory
with ptraced process with SUID being involved.

The only thing that worries me about your response is I thought remembered
that MMU was somehow involved.   Just turning off SUID was not the only
part of the solution.

I do remember that the bug was in the Research kernel at the time and
Dennis had not known about it until that meeting so if PWB had it fixed,
that's an example of something that did not go back, which I would find
surprising.

I suspect MIT found and fixed it independently, but it never got passed it
back for whatever reason.

We should try to look in the PWB 1.0 kernel.

Clem

On Fri, May 12, 2017 at 7:30 PM, Noel Chiappa <jnc at mercury.lcs.mit.edu>
wrote:

>     > From: Clem Cole
>
>     > I said -- profil - I intended to say  ptrace(2)
>
> Is that the one where running an SUID program under the debugger allowed
> one
> to patch the in-core image of said program?
>
> If so, I have a story, and a puzzle, about that.
>
>
> A couple of us, including Jim Gettys (later of X-windows fame) were on out
> way
> out to dinner one evening (I don't recall when, alas, but I didn't meet him
> until '80 or so), and he mentioned this horrible Unix security bug that had
> just been found. All he would tell me about it (IIRC) was that it involved
> ptrace.
>
> So, over dinner (without the source) I figured out what it had to be:
> patching SUID programs. So I asked him if that was what it was, and I don't
> recall his exact answer, but I vaguely recall he hemmed and hawed in a way
> that let me know I'd worked it out.
>
> So when we got back from dinner, I looked at the source to our system to
> see
> if I was right, and.... it had already been fixed! Here's the code:
>
>         if (xp->x_count!=1 || xp->x_iptr->i_mode&ISVTX)
>                 goto error;
>
> Now, we'd been running that system since '77 (when I joined CSR), without
> any
> changes to that part of the OS, so I'm pretty sure this fix pre-dates your
> story?
>
> So when I saw your email about this, I wondered 'did that bug get fixed at
> MIT when some undergrad used it to break in' (I _think_ ca. '77 is when
> they
> switched from an OS called Delphi on the -11/45 used for the undergrad CS
> programming course - I _think_ they switched that machine from Delphi to
> Unix), or did it come with PWB1? (Like I said, that system was mostly
> PWB1.)
>
> So I just looked in the PWB1 sources, and... there it is, the _exact_ same
> fix. So we must have got it from PWB1.
>
> So now the question is: did the PWB guys find and fix this, and forget to
> tell the research guys? Or did they tell them, and the research guys blew
> them off? Or what?
>
>         Noel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20170512/fc322093/attachment.html>