From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,HTML_MESSAGE,MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 16700 invoked from network); 19 Nov 2021 22:44:37 -0000 Received: from minnie.tuhs.org (45.79.103.53) by inbox.vuxu.org with ESMTPUTF8; 19 Nov 2021 22:44:37 -0000 Received: by minnie.tuhs.org (Postfix, from userid 112) id 130AA94486; Sat, 20 Nov 2021 08:44:36 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 48E2E93D61; Sat, 20 Nov 2021 08:43:08 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Hu3k5xsd"; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id 549FB93D61; Sat, 20 Nov 2021 08:41:27 +1000 (AEST) Received: from mail-vk1-f169.google.com (mail-vk1-f169.google.com [209.85.221.169]) by minnie.tuhs.org (Postfix) with ESMTPS id 7C43F93D5E for ; Sat, 20 Nov 2021 08:41:26 +1000 (AEST) Received: by mail-vk1-f169.google.com with SMTP id b125so6744027vkb.9 for ; Fri, 19 Nov 2021 14:41:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=uRZOnieLqEZ9YI91yQ8Ra7XHD7q1ayAIdM6fHUDaq9I=; b=Hu3k5xsdtAPdkMg3/YID6SAJZQIJffhR6Tu2ND9cd8umyg3+DETAkzs0rcOm6640zt e+hXsCxrip3wwp1U4VBOq6+OLyPGZCS5NsXbVFzP3qKMq3MmpnzGpeFuy2sLrB+2HP0A YT8uZbc3jAlKOx8Fl6MGWXn+Yw8rWYT2BPNL+4Pe+qD+s6+PXm417nD20LDCYj0FXec7 NDvqTTgvy8mnprIrrd0jhZ3Mp5l9e+fxnPprFljKUipqmtNSLNttvn5ApLuA57iyVy5B V/g9XJ8LK7ZvpNPlvzRJRajcfj97hYUG0YVRP/z0VbaVdF8lnpL4PikmKfW5XPKxKxU8 mMLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uRZOnieLqEZ9YI91yQ8Ra7XHD7q1ayAIdM6fHUDaq9I=; b=E66JH5LTpT3Ise/mNOWHvlmxsMdMxfLDOMdpDsqaU2AP3Fn1s0aV9nuhwiF3JQi7t+ UsDdbcd0rdniZ9UX5HMw8SzamyFrSNjVywQIfqHRjgMOkQYCWCv/GCFnXsOfb+1yTymN HsOXdWkEypYjGyzcTsD1le8t9FTpl0KLRU9hOpC9llGaCBnw2+P9iS+2lXfqocmQr4YB uF0ZF/pJ/O9syD4REKdnaFBa5aJD+bbErM///myVr/8cGR05KFj3beW99wPD1pqbL66L NM8eI6r6TfzAkD4rsrAZbuMpWgiiNZf6KOAYQTwpr1KeojKgh5aCaw/w5/9S2Vl561Qw 6aSw== X-Gm-Message-State: AOAM530ISqTTotyjsS0V+ZEIS8K7ADpuD27KNH0FywafhfkI7M9WZuFy uYfmEAZIDCuNlbgaoRHUQKAaDn96D4zz6mxXsdG4t2ZHjYw= X-Google-Smtp-Source: ABdhPJxr7R7ilasOF8kFp7hAjjV/zJEp+zuyewO5w8e76GuXpY4QQADidtprut5kVTGxxAy5oh/ffs3V3/47ewO7nuI= X-Received: by 2002:a05:6122:c6f:: with SMTP id i47mr90640687vkr.20.1637361684955; Fri, 19 Nov 2021 14:41:24 -0800 (PST) MIME-Version: 1.0 From: Alan Glasser Date: Fri, 19 Nov 2021 17:41:12 -0500 Message-ID: To: tuhs@minnie.tuhs.org Content-Type: multipart/alternative; boundary="00000000000099c3fe05d12bf997" Subject: [TUHS] Two anecdotes X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --00000000000099c3fe05d12bf997 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Here are two anecdotes that Doug suggested I share with TUHS (I am new to TUHS, having joined just last month). *First*: *The creation of access(2).* [Marc Rochkind documented a version of this on page 56 of his book *Advance= d Unix Programming* (1985, First Edition) discussing link(2). The footnote on that page says "Alan L. Glasser and I used this scheme to break into Dennis Ritchie and Ken Thompson's system back in 1973 or 1974."] Doug pointed out that the timing was probably later, as access(2) was not in the Sixth Edition release, but probably right after the release (after May 1975?). It arose from a discussion I was having with Marc, with whom I worked on SCCS and other PWB tools. We were discussing some mechanism that would require moving directories (actually, simple renaming) in a shell procedure. I told Marc that only root could make links to directories or unlink directories, but he told me that he has renamed directories with the mv command. I said then mv must be setuid to root, so we looked, and, of course, it was. I then looked at the source code for mv and quickly saw that there was no attempt to check permission on the real uid. So I told Marc it would allow anyone to become root. He wanted to see it in action, so I logged into research (I don=E2=80=99t remember what our organization's= shared login was). No one in our organization had root access on research. Marc and I didn't have root access on our organization's machines; Dick Haight et. al. didn't share that privilege (Dick was the manager of the super-users). I think the actual sequence of commands was: cd / cp etc/passwd tmp ed tmp/passwd 1s/^root:[^:]*:/root::/ w q mv etc etc2 mv tmp etc su mv etc tmp mv etc2 etc mv etc/as2 etc/.as2 {logout, hangup and wonder} The last bit was a test to see what was noticed about what I did. Marc and I talked for a while about it and discussed if we had any need to be root on our local machines, but couldn't think of any pressing need, but knowing we could was a bit of a comfort. After a short time, Marc suggested logging back in to see what, if anything, had been done. /bin/mv had lost setuid to root /etc/as2 was restored /etc/.as2 was nonexistent And the next day, the motd on research mentioned that there's a new syscall: access. And mv(1) now used it. *Second*: Our organization was one (out of possibly others) subject of Ken's *codenih= * that he documented in his Turing Award article in CACM. As previously described, root access was closely guarded in the PWB organization and, according to Doug, freely available in research. Ken had given us a login that was shared by PWB development and we had given Ken a login to our systems. We had no root access on research and Ken had no root access on our systems. Our C compiler guy, Rich Graveman, who kept in close contact with Dennis and was always getting us the latest compiler to install, had gone to MH and came back with a tape of a new compiler. Rich, being a careful fellow, did a size on c0, c1, c2 on the files from the tape and did the same on the running compiler pieces in /lib. Lo and behold, he discovered that the new compiler from Dennis was smaller than the old compiler even though it had a whole new feature (I think it was union). So Rich did nm's on the two different c0's and discovered a name "codenih" in the old compiler that wasn't in the new one from Dennis. He logged into research, cd'ed to /usr/ken and did an ls -ld codenih, followed by a cd codenih. Was he surprised! Then he went back to a local machine and tried to login as root/codenih, which, of course, worked. He was even more surprised and told a number of colleagues, myself included. (I logged into research and printed out the source in /usr/ken/codenih. I was super impressed.) I think you misunderstood the codenih bit. As Ken had given us a (shared among a few of us) login, we had given him one. And Dick Haight refused him root access. And no one in PY had root access on research. So much for denying Ken root access on the PWB systems. Ken "infected" the PWB C compiler with codenih, which gave him free rein. I don't know how or when he first installed it, but I suspect he was aware of any extant security holes (e.g., the mv setuid root) to allow him to replace the compiler the first time. I don't know if the PWB crowd was the impetus for Ken writing codenih or if it was something he had used on others prior to us or if he ever used it on anyone else. Needless to say, Dick Haight was beside himself. I just thought it was a great feat of programming and was thrilled when he described it in CACM. Alan --00000000000099c3fe05d12bf997 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Here are two anecdotes that Doug suggested I share with TU= HS (I am new to TUHS, having joined just last month).

First:<= br>
The creation of access(2).
[Marc Rochkind documented a ver= sion of this on page 56 of his book Advanced Unix Programming (1985,= First Edition) discussing link(2).=C2=A0 The footnote on that page says &q= uot;Alan L. Glasser and I used this scheme to break into Dennis Ritchie and= Ken Thompson's system back in 1973 or 1974."]

Doug pointed= out that the timing was probably later, as access(2) was not in the Sixth = Edition release, but probably right after the release (after May 1975?).
It arose from a discussion I was having with Marc, with whom I worked = on SCCS and other PWB tools. We were discussing some mechanism that would r= equire moving directories (actually, simple renaming) in a shell procedure.= I told Marc that only root could make links to directories or unlink direc= tories, but he told me that he has renamed directories with the mv command.= I said then mv must be setuid to root, so we looked, and, of course, it wa= s.=C2=A0 I then looked at the source code for mv and quickly saw that there= was no attempt to check permission on the real uid. So I told Marc it woul= d allow anyone to become root. He wanted to see it in action, so I logged i= nto research (I don=E2=80=99t remember what our organization's shared l= ogin was).=C2=A0 No one in our organization had root access on research.=C2= =A0 Marc and I didn't have root access on our organization's machin= es; Dick Haight et. al. didn't share that privilege (Dick was the manag= er of the super-users). =C2=A0 I think the actual sequence of commands was:=
cd /
cp etc/passwd tmp
ed tmp/passwd
1s/^root:[^:]*:/root::/w
q
mv etc etc2
mv tmp etc
su
mv etc tmp
mv etc2 etcmv etc/as2 etc/.as2
{logout, hangup and wonder}
The last bit was a t= est to see what was noticed about what I did.
Marc and I talked for a wh= ile about it and discussed if we had any need to be root on our local machi= nes, but couldn't think of any pressing need, but knowing we could was = a bit of a comfort.=C2=A0 After a short time, Marc suggested logging back i= n to see what, if anything, had been done.
/bin/mv had lost setuid to ro= ot
/etc/as2 was restored
/etc/.as2 was nonexistent

And the nex= t day, the motd on research mentioned that there's a new syscall: acces= s.=C2=A0 And mv(1) now used it.

Second:

Our organizati= on was one (out of possibly others) subject of Ken's codenih tha= t he documented in his Turing Award article in CACM.

As previously d= escribed, root access was closely guarded in the PWB organization and, acco= rding to Doug, freely available in research.=C2=A0 Ken had given us a login= that was shared by PWB development and we had given Ken a login to our sys= tems. We had no root access on research and Ken had no root access on our s= ystems.

Our C compiler guy, Rich Graveman, who kept in close contact= with Dennis and was always getting us the latest compiler to install, had = gone to MH and came back with a tape of a new compiler.=C2=A0 Rich, being a= careful fellow, did a size on c0, c1, c2 on the files from the tape and di= d the same on the running compiler pieces in /lib.
Lo and behold, he dis= covered that the new compiler from Dennis was smaller than the old compiler= even though it had a whole new feature (I think it was union).=C2=A0 So Ri= ch did nm's on the two different c0's and discovered a name "c= odenih" in the old compiler that wasn't in the new one from Dennis= .=C2=A0 He logged into research, cd'ed to /usr/ken and did an ls -ld co= denih, followed by a cd codenih.=C2=A0 Was he surprised!=C2=A0 Then he went= back to a local machine and tried to login as root/codenih, which, of cour= se, worked.=C2=A0 He was even more surprised and told a number of colleague= s, myself included. =C2=A0(I logged into research and printed out the sourc= e in /usr/ken/codenih.=C2=A0 I was super impressed.)

I think you mis= understood the codenih bit.
As Ken had given us a (shared among a few of= us) login, we had given him one.
And Dick Haight refused him root acces= s.
And no one in PY had root access on research.

So much for deny= ing Ken root access on the PWB systems.
Ken "infected" the PWB= C compiler with codenih, which gave him free rein.=C2=A0 I don't know = how or when he first installed it, but I suspect he was aware of any extant= security holes (e.g., the mv setuid root) to allow him to replace the comp= iler the first time.

I don't know if the PWB crowd was the impet= us for Ken writing codenih or if it was something he had used on others pri= or to us or if he ever used it on anyone else.
Needless to say, Dick Hai= ght was beside himself.
I just thought it was a great feat of programmin= g and was thrilled when he described it in CACM.

Alan



--00000000000099c3fe05d12bf997--