From: Warner Losh <imp@bsdimp.com>
To: Bakul Shah <bakul@iitbombay.org>
Cc: The Eunuchs Hysterical Society <tuhs@tuhs.org>
Subject: [TUHS] Re: File descriptor fun and games (setuid)
Date: Sun, 29 Jan 2023 17:45:43 -0700 [thread overview]
Message-ID: <CANCZdfo0++qzrv+zQXLurXbwedh2+_zVrjpNGd+Vy5PSxpugDA@mail.gmail.com> (raw)
In-Reply-To: <2D760346-E44F-4248-9122-19A5E4EDA42D@iitbombay.org>
[-- Attachment #1: Type: text/plain, Size: 4323 bytes --]
On Sun, Jan 29, 2023, 3:59 PM Bakul Shah <bakul@iitbombay.org> wrote:
> Sorry for nitpicking but I don't understand why closing fd 1 *before*
> calling mount result in this behavior? Shouldn't a write(1, ...) just fail?
>
Because if it is closed the first open will return 1. And that's also where
the printf will go...
Warner
Anyway, this sounds like a classic case of "the confused deputy".
> http://www.cap-lore.com/CapTheory/ConfusedDeputy.html
>
> Of course, a tighter security design might've made it much more difficult
> to apply useful hacks like the one Mike Muus did!
>
> On Jan 29, 2023, at 11:39 AM, Ron Natalie <ron@ronnatalie.com> wrote:
>
> Another of Ron’s historical diversions that came to mind.
>
> Most of you probably know of various exploits that can happen now with
> setuid programs, but this was pretty loose back in the early days. I was
> a budding system programmer back in 1979 at Johns Hopkins. Back then
> hacking the UNIX system was generally considered as sport by the students.
> The few of us who were on the admin side spent a lot of time figuring out
> how it had happened and running around fixing it.
>
> The first one found was the fact that the “su” program decided that if it
> couldn’t open /etc/passwd for some reason, things must be really bad and
> the invoker should be given a root shell anyhow. The common exploit would
> be to open all the available file descriptors (16 I think back then) and
> thus there wasn’t one available. That was fixed before my time at JHU
> (but I used it on other systems).
>
> One day one of the guys who was shuffling stuff back and forth between
> MiniUnix on a PDP-11/40 and our main 11/45 UNIX came to me with his RK05
> file system corrupted. I found that the superblock was corrupted. With
> some painstaking comparison to another RK05 superblock, I reconstituded it
> enough to run icheck -s etc.. and get the thing back. What I had found
> was that the output of the “mount” command had been written on the
> superblock. WTF? I said, how did this happen. Interrogating the user
> yielded the fact that he decided he didn’t want to see the mount output so
> he closed file descriptor one prior to invoking mount. Still it seemed
> odd.
>
> At JHU we had lots of people with removable packs, so someone had modified
> mount to run setuid (with the provision of only allowing certain devices to
> be mounted certain places). At his point we had started with the idea of
> putting volume labels in the superblock to identify the pack being mounted.
> Rather than put the stuff in the kernel right away, Mike Muuss just
> hacked reading it from the super block in the usermode mount program so
> that he could put the volume label in /etc/mtab. Now you can probably see
> where this is headed. It opens up the disk, seeks to the pack label in
> the superblock and reads it (for somereason things were opened RW). Then
> the output goes to file descriptor 1 which just happens to be further in
> the superblock.
>
> I figured this out. Fixed it and told Mike about it. I told him there
> were probably other setuid programs around that had the problem and asked
> if it was OK if I hacked on things (at the time I yet was not trusted with
> the root password). He told me to go ahead, knock yourself out.
>
> Well I spent the evening closing various combinations of file descriptors
> and invoking setuid programs. I found a few more and noted them. After
> a while I got tired and went home.
>
> The next day I came in and looked through our paper logbook that we filled
> out anytime the machine was shutdown (or crashed). There was a note from
> two of the other system admins saying they had shut the system down to
> rebuild the accounting file (this was essentially the shadow password file
> and some additional per-user information not stored in /etc/passwd). The
> first 8 bytes were corrupted. Oh, I say, I think I might know how that
> happened. Yeah, we thought you might. Your user name was what was
> written over the root entry in the file. The passwd changing program was
> one of the ones I tested, but I hadn’t noticed any ill-effects for it at
> the time.
>
>
>
[-- Attachment #2: Type: text/html, Size: 8899 bytes --]
next prev parent reply other threads:[~2023-01-30 0:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-29 19:39 [TUHS] " Ron Natalie
2023-01-29 22:57 ` [TUHS] " Bakul Shah
2023-01-30 0:45 ` Warner Losh [this message]
2023-01-30 1:17 ` Bakul Shah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANCZdfo0++qzrv+zQXLurXbwedh2+_zVrjpNGd+Vy5PSxpugDA@mail.gmail.com \
--to=imp@bsdimp.com \
--cc=bakul@iitbombay.org \
--cc=tuhs@tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).