From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 31896 invoked from network); 20 Nov 2021 00:57:10 -0000
Received: from minnie.tuhs.org (45.79.103.53)
  by inbox.vuxu.org with ESMTPUTF8; 20 Nov 2021 00:57:10 -0000
Received: by minnie.tuhs.org (Postfix, from userid 112)
	id C37C1944C9; Sat, 20 Nov 2021 10:57:08 +1000 (AEST)
Received: from minnie.tuhs.org (localhost [127.0.0.1])
	by minnie.tuhs.org (Postfix) with ESMTP id A58E293D61;
	Sat, 20 Nov 2021 10:55:14 +1000 (AEST)
Authentication-Results: minnie.tuhs.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="EAEd64Uq";
	dkim-atps=neutral
Received: by minnie.tuhs.org (Postfix, from userid 112)
 id CD61B93D61; Sat, 20 Nov 2021 10:55:11 +1000 (AEST)
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com
 [209.85.216.53])
 by minnie.tuhs.org (Postfix) with ESMTPS id 5E38293D5E
 for <tuhs@minnie.tuhs.org>; Sat, 20 Nov 2021 10:55:11 +1000 (AEST)
Received: by mail-pj1-f53.google.com with SMTP id gt5so9150501pjb.1
 for <tuhs@minnie.tuhs.org>; Fri, 19 Nov 2021 16:55:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc:content-transfer-encoding;
 bh=embVq7qQUTVpztN9nReU/VAJyNvbrn53FcPOG7FjqLA=;
 b=EAEd64UqsOV4CYlJ5hVACDBH40kV/VhtVIgtdVKU5E/8WNUro2Guk2vQh1ywLNEXnQ
 GBdIh0Mx21KIIhlJhCg48Crnypnyv7703Y3nt5IWeUy7OlhIIPq9p77fwhwl0CCizyVR
 xbj6yYw5Zm8w25kHzHYVCgRqxoahy++TbReAAIrr14ZfgsMaSkfeocfNrsLFSnbars6g
 XUpdfyXu8XaJVoX+zUnrK4DDGTIkHh0s0HL1jIRlexmoAZG+jd0lqnUOXrGVX5DJeIaL
 qhXu2r22QpSe3q99+Yd/LSJBpwzQlCTrsTGIxSg1RbzK0R7I3xEjwBdgeMiXEXXGPTmF
 HNwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc:content-transfer-encoding;
 bh=embVq7qQUTVpztN9nReU/VAJyNvbrn53FcPOG7FjqLA=;
 b=mlqch7drXsATZUEQQucx1hASv54jFZgx3zTyuyUAdC+1AVuUe8662lUWgVWYObm5Hh
 v+9Zjfmxo7H5vsc9rWLrlgMr3rqlHv8rLWqbxSOYNnHpx7AZbqaVETFWGMPoCv3zDyEq
 ThLOS4tSNI6CCjMWjD/OyD3hb1do6+0m+NDZbCTJR69r7/keSap9ntFkCL4IzUqCiRJh
 Oz+3lGnZ4/+h3B+WqoWREQeSBk97XSx1dSRjDAFvH3+NUP7/i3MuvPGIqxDHvq6rH7Tr
 BUyNEPKarebap/q9w6EfG/is2K4SCl/mpbHgK0l78iotw1hy2z5yQw0ZGGtGNlMVimu1
 YNDA==
X-Gm-Message-State: AOAM531XtjbZn2iTh0aunCAGdANlOM8BC7LgoC5kOeiNLidg5tieUvsy
 nvoV8HbJ7WOXYOnttf6P4yCl9Phd+FPcOSsh2cQ=
X-Google-Smtp-Source: ABdhPJx21hdgx8Dh88cH3+wz3JJl2tCXmHCAVdrYdChvdYcqacD/oiSLRx5jxXL3nSaBNDJeTBYPK3uYsyqbtYULsNY=
X-Received: by 2002:a17:90b:3149:: with SMTP id
 ip9mr5091140pjb.77.1637369710651; 
 Fri, 19 Nov 2021 16:55:10 -0800 (PST)
MIME-Version: 1.0
References: <CALpTLGqkTgJ6DUHZKfuwg-gNN=FbnC8FA8Dmz3u5PXLsc5jAPA@mail.gmail.com>
In-Reply-To: <CALpTLGqkTgJ6DUHZKfuwg-gNN=FbnC8FA8Dmz3u5PXLsc5jAPA@mail.gmail.com>
From: Rob Pike <robpike@gmail.com>
Date: Sat, 20 Nov 2021 11:54:59 +1100
Message-ID: <CAKzdPgxrTs4V0PG9Xae5WmH=_Pp2B45YU9mtWMO49mADmCBgcQ@mail.gmail.com>
To: Alan Glasser <alanglasser@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [TUHS] Two anecdotes
X-BeenThere: tuhs@minnie.tuhs.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: The Unix Heritage Society mailing list <tuhs.minnie.tuhs.org>
List-Unsubscribe: <https://minnie.tuhs.org/cgi-bin/mailman/options/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=unsubscribe>
List-Archive: <http://minnie.tuhs.org/pipermail/tuhs/>
List-Post: <mailto:tuhs@minnie.tuhs.org>
List-Help: <mailto:tuhs-request@minnie.tuhs.org?subject=help>
List-Subscribe: <https://minnie.tuhs.org/cgi-bin/mailman/listinfo/tuhs>,
 <mailto:tuhs-request@minnie.tuhs.org?subject=subscribe>
Cc: TUHS main list <tuhs@minnie.tuhs.org>
Errors-To: tuhs-bounces@minnie.tuhs.org
Sender: "TUHS" <tuhs-bounces@minnie.tuhs.org>

Clever though those anecdotes may be, it was much easier to become
root. Sometime around 1981, I was visiting USG and they were in a bit
of a panic, checking that their system was intact. Why? Because early
that morning, there was a phone call to the machine room:

"Hi, this is Ken. What's the root password?"

The call was successful.

Any sysadmin worth his paycheck would have known that Ken isn't awake
in the mornings and could have blocked this interloper. But...

-rob

On Sat, Nov 20, 2021 at 9:45 AM Alan Glasser <alanglasser@gmail.com> wrote:
>
> Here are two anecdotes that Doug suggested I share with TUHS (I am new to=
 TUHS, having joined just last month).
>
> First:
>
> The creation of access(2).
> [Marc Rochkind documented a version of this on page 56 of his book Advanc=
ed Unix Programming (1985, First Edition) discussing link(2).  The footnote=
 on that page says "Alan L. Glasser and I used this scheme to break into De=
nnis Ritchie and Ken Thompson's system back in 1973 or 1974."]
>
> Doug pointed out that the timing was probably later, as access(2) was not=
 in the Sixth Edition release, but probably right after the release (after =
May 1975?).
>
> It arose from a discussion I was having with Marc, with whom I worked on =
SCCS and other PWB tools. We were discussing some mechanism that would requ=
ire moving directories (actually, simple renaming) in a shell procedure. I =
told Marc that only root could make links to directories or unlink director=
ies, but he told me that he has renamed directories with the mv command. I =
said then mv must be setuid to root, so we looked, and, of course, it was. =
 I then looked at the source code for mv and quickly saw that there was no =
attempt to check permission on the real uid. So I told Marc it would allow =
anyone to become root. He wanted to see it in action, so I logged into rese=
arch (I don=E2=80=99t remember what our organization's shared login was).  =
No one in our organization had root access on research.  Marc and I didn't =
have root access on our organization's machines; Dick Haight et. al. didn't=
 share that privilege (Dick was the manager of the super-users).   I think =
the actual sequence of commands was:
> cd /
> cp etc/passwd tmp
> ed tmp/passwd
> 1s/^root:[^:]*:/root::/
> w
> q
> mv etc etc2
> mv tmp etc
> su
> mv etc tmp
> mv etc2 etc
> mv etc/as2 etc/.as2
> {logout, hangup and wonder}
> The last bit was a test to see what was noticed about what I did.
> Marc and I talked for a while about it and discussed if we had any need t=
o be root on our local machines, but couldn't think of any pressing need, b=
ut knowing we could was a bit of a comfort.  After a short time, Marc sugge=
sted logging back in to see what, if anything, had been done.
> /bin/mv had lost setuid to root
> /etc/as2 was restored
> /etc/.as2 was nonexistent
>
> And the next day, the motd on research mentioned that there's a new sysca=
ll: access.  And mv(1) now used it.
>
> Second:
>
> Our organization was one (out of possibly others) subject of Ken's codeni=
h that he documented in his Turing Award article in CACM.
>
> As previously described, root access was closely guarded in the PWB organ=
ization and, according to Doug, freely available in research.  Ken had give=
n us a login that was shared by PWB development and we had given Ken a logi=
n to our systems. We had no root access on research and Ken had no root acc=
ess on our systems.
>
> Our C compiler guy, Rich Graveman, who kept in close contact with Dennis =
and was always getting us the latest compiler to install, had gone to MH an=
d came back with a tape of a new compiler.  Rich, being a careful fellow, d=
id a size on c0, c1, c2 on the files from the tape and did the same on the =
running compiler pieces in /lib.
> Lo and behold, he discovered that the new compiler from Dennis was smalle=
r than the old compiler even though it had a whole new feature (I think it =
was union).  So Rich did nm's on the two different c0's and discovered a na=
me "codenih" in the old compiler that wasn't in the new one from Dennis.  H=
e logged into research, cd'ed to /usr/ken and did an ls -ld codenih, follow=
ed by a cd codenih.  Was he surprised!  Then he went back to a local machin=
e and tried to login as root/codenih, which, of course, worked.  He was eve=
n more surprised and told a number of colleagues, myself included.  (I logg=
ed into research and printed out the source in /usr/ken/codenih.  I was sup=
er impressed.)
>
> I think you misunderstood the codenih bit.
> As Ken had given us a (shared among a few of us) login, we had given him =
one.
> And Dick Haight refused him root access.
> And no one in PY had root access on research.
>
> So much for denying Ken root access on the PWB systems.
> Ken "infected" the PWB C compiler with codenih, which gave him free rein.=
  I don't know how or when he first installed it, but I suspect he was awar=
e of any extant security holes (e.g., the mv setuid root) to allow him to r=
eplace the compiler the first time.
>
> I don't know if the PWB crowd was the impetus for Ken writing codenih or =
if it was something he had used on others prior to us or if he ever used it=
 on anyone else.
> Needless to say, Dick Haight was beside himself.
> I just thought it was a great feat of programming and was thrilled when h=
e described it in CACM.
>
> Alan
>
>
>