2.5.2p2 ssh-keyscan installed group writable?

Loomis, Rip GILBERT.R.LOOMIS at saic.com
Wed Mar 28 09:11:36 EST 2001 

Jason--
SetUID binaries are *not* A Bad Thing.
SetUID binaries are A Powerful Tool.

Sometimes a power hammer (using .22 shells)
can do things that a regular claw hammer
can't.  That doesn't mean that it's safe
to use for the novice.  

The correct answer for OpenSSH is, IMHO:
1.  Continue to support SetUID installation
	of the ssh client in order to
	support rsa-rhosts auth--but perhaps
	the default should transition over
	to non-SetUID (with a big warning note!)
2.  Install *all* executables (not just SetUID)
	as mode 511 (or 4511 if appropriate).
	There's no reason why root needs to be
	able to routinely overwrite them,
	and there's no reason why non-root
	users need to be able to routinely
	copy them or run strings/objdump on them...
	so why allow it?  This will require
	an additional step during an upgrade,
	but could also prevent accidental
	or intentional overwriting which is
	not desireable.

	I know of at least one system where
	when given a user-level account on this
	supposedly-secure system, it took me
	less than 20 minutes to find a poorly-
	written local SetUID binary, run
	strings against it, discover a call
	to an external binary *with a relative
	path*, craft an exploit, and take root.

	That was an extreme case...but it would
	have been near impossible if the perms
	on that poorly-written binary had been
	more sensible.  It doesn't mean that
	the idea of SetUID binaries is fundamentally
	flawed, since there are sometimes things
	which cannot be accomplished in any
	other feasible way.

Comments?

Rip Loomis		Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com



> -----Original Message-----
> From: Jason Stone [mailto:jason at dfmm.org]
> Sent: Tuesday, March 27, 2001 5:21 PM
> To: Kevin Steves
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: 2.5.2p2 ssh-keyscan installed group writable?
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > and i also wonder why isn't ssh group, other readable:
> > 
> >   no)
> >        AC_MSG_RESULT(no)
> >        SSHMODE=0711
> >        ;;
> >   *)   AC_MSG_RESULT(yes)
> >        SSHMODE=04711
> 
> Because it's (unfortunately) setuid, and you don't want 
> people to be able
> to easily read your setuid binaries.
> 
> For example, a linux exploit was just published today which allows any
> setuid binary to be exploited, but in order for the exploit 
> to work, you
> have to run objdump on the binary to find the bss offset.  If 
> the binary
> is not readable, then the above attack is frustrated (though not
> prevented).
> 
> Yet another reminder that suid binaries are A Bad Thing.
> 
> 
>  -Jason

More information about the openssh-unix-dev mailing list