[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SU: the mother of trojan horses

JF Martinez wrote:
> I consider the way SU is implemented in RedHat (and Indy) a serious
> security problem:
>  Phase 1: You excute a program like normal user.  That program without
> you knowing it installs a copy of it at $HOME/bin/ls and perhaps modify
> the .profile in order to ensure your ~/bin is in front of the path.
> Phase 2: One day you SU to root.  Givzen that RedHat's root does not
> reset the PATH that means the trojan 'ls' will be executed and it will
> be with root access root rights
> Caldera manages this by reinitializing the environment (by the way
> don't look at SU source code the trick is in root's .bashrc and
> .bashrc_profile.  This is not fully satisfactory because the means the
> root shell will have /root as $HOME value and when an X app is started
> from the root shell it will not be looking at the right place for the
> MIT cookie. Of course this is irrelevant because the $DISPLAY variable
> has also been lost when the environent was reinitialized.
> So either we fix the broken RedHat way to SU either we recommend the
> user to do regular logins.
So that's why Mandrake gives the "MIT-Magic-Cookie" error by default
and refuses to run programs after you su to a different user.

I brute forced my way out of it by copying ~/.Xsecurity from /home/user 
to /root