Hi,
While looking for holes in the utility script, that Glynn Clements sent, I
have realized that using "~/" may be dangerous. The original script:
On Wed, 1 Dec 1999, Glynn Clements wrote:
[---cut---]> cp ~/static-rm ~/rm # installing the "rm" binary needs to
be
> mv -f ~/rm /tmp/rm # safe against symlink games
> cd /tmp
> chroot /tmp /rm -rf .
[---cut---]
is very unlikely to be compromised. But if you''d like to write your own
scripts using the above idea, you''d better change "~/" to
absolute paths
(i.e. /root/). Rogier Wolff <R.E.Wolff@BitWizard.nl>, with whom I have
discussed security issues of that script, stressed that the script was
intended to be run in multiuser mode. It will work well until the HOME
variable evaluates to /root, thus it will fail in single user mode.
Detailed explanation
"~/" is replaced by bash with the value of "$HOME". This
variable for root
usually evaluates to "/root", but in single user mode it evaluates to
"/".
If trusted or static binaries are put for example in /root/bin and the
binaries are referenced in scripts as ~/bin/something , bash will look
for binaries in /bin (that is /bin/something) when in single user mode.
Binaries from /bin are dynamically linked and if run chrooted to
/tmp , library loader will look for /tmp/etc/ld.so.conf and
/tmp/lib/lib*.so . If you are attacked by an intruder, who knows what
you have in your scripts, he may put his Troyan horses to those locations.
"~root/" or "~user/" seem to be safier. Bash takes
user''s home directory
from /etc/passwd. When run in a script executed by bash, which was
chrooted to /tmp , the /tmp/etc/passwd is consulted.
Conclusions
1. Don''t use "~/" in security related scripts or at least set
the HOME
variable.
2. Reconsider using "~user/" syntax in scripts that are run chrooted.
Greetings,
--
Bartosz Lis
Krokus sp. z o.o.
snail-mail: Sterlinga 26, 90-213 Lodz, Poland
e-mail: B.Lis@krokus.com.pl
phone: [POLAND](42) 63 00110
www: http://www.krokus.com.pl
