A question about the adduser.perl file

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

A question about the adduser.perl file

Said Outgajjouft
Line 92
@pwd_mkdb = ("pwd_mkdb", "-p");    # program for building passwd database
and line 133
@pwd_mkdb = ("pwd_mkdb", "-p", "-d", ".");

Isn't it more secure to use absolute path for running the pwd_mkdb?


OpenBSD keep it real by keeping it free!
Said Outgajjouft

Reply | Threaded
Open this post in threaded view
|

Re: A question about the adduser.perl file

frantisek holop
hmm, on Sun, Nov 27, 2005 at 04:31:31PM +0100, Said Outgajjouft said that
> Line 92
> @pwd_mkdb = ("pwd_mkdb", "-p");    # program for building passwd database
> and line 133
> @pwd_mkdb = ("pwd_mkdb", "-p", "-d", ".");
>
> Isn't it more secure to use absolute path for running the pwd_mkdb?

    @path = ('/bin', '/usr/bin', '/usr/local/bin');

-f
--
support your local police force - steal!

Reply | Threaded
Open this post in threaded view
|

Re: A question about the adduser.perl file

steven mestdagh
On Mon, Nov 28, 2005 at 10:21:58AM +0100, frantisek holop wrote:
> hmm, on Sun, Nov 27, 2005 at 04:31:31PM +0100, Said Outgajjouft said that
> > Line 92
> > @pwd_mkdb = ("pwd_mkdb", "-p");    # program for building passwd database
> > and line 133
> > @pwd_mkdb = ("pwd_mkdb", "-p", "-d", ".");
> >
> > Isn't it more secure to use absolute path for running the pwd_mkdb?
>
>     @path = ('/bin', '/usr/bin', '/usr/local/bin');

that's the path where it looks for shells.  a bit further you can see

$ENV{'PATH'} = "/sbin:/bin:/usr/sbin:/usr/bin";

and that is where pwd_mkdb will be found.

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Reply | Threaded
Open this post in threaded view
|

Re: A question about the adduser.perl file

Said Outgajjouft
steven mestdagh wrote:

>On Mon, Nov 28, 2005 at 10:21:58AM +0100, frantisek holop wrote:
>  
>
>>hmm, on Sun, Nov 27, 2005 at 04:31:31PM +0100, Said Outgajjouft said that
>>    
>>
>>>Line 92
>>>@pwd_mkdb = ("pwd_mkdb", "-p");    # program for building passwd database
>>>and line 133
>>>@pwd_mkdb = ("pwd_mkdb", "-p", "-d", ".");
>>>
>>>Isn't it more secure to use absolute path for running the pwd_mkdb?
>>>      
>>>
>>    @path = ('/bin', '/usr/bin', '/usr/local/bin');
>>    
>>
>
>that's the path where it looks for shells.  a bit further you can see
>
>$ENV{'PATH'} = "/sbin:/bin:/usr/sbin:/usr/bin";
>
>and that is where pwd_mkdb will be found.
>
>Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
>
>
>  
>
Hmm that doesn't answer my question.
The answer I am looking for could be one of the following.

1. The PATH environment is local to the process and cannot be tampered with.

2. The PATH environment is global but if someone can tampered with it
you are screwed
    anyway so it doesn't matter that the pwd_mkdb is called using a
relative path.

3. The PATH environment however very slim can be tempered with so
adduser instead calls
   /evilfiles/pwd_mkdb then adding an absolute path sounds like
something that should be done.


OpenBSD keep it real by keeping it free!
Said Outgajjouft

Reply | Threaded
Open this post in threaded view
|

Re: A question about the adduser.perl file

steven mestdagh
On Mon, Nov 28, 2005 at 04:30:25PM +0100, Said Outgajjouft wrote:

> >$ENV{'PATH'} = "/sbin:/bin:/usr/sbin:/usr/bin";
> >
> >and that is where pwd_mkdb will be found.
> >
> >
> Hmm that doesn't answer my question.
> The answer I am looking for could be one of the following.
>
> 1. The PATH environment is local to the process and cannot be tampered with.
>
> 2. The PATH environment is global but if someone can tampered with it
> you are screwed
>     anyway so it doesn't matter that the pwd_mkdb is called using a
> relative path.
>
> 3. The PATH environment however very slim can be tempered with so
> adduser instead calls
>    /evilfiles/pwd_mkdb then adding an absolute path sounds like
> something that should be done.

$ENV is inherited from the parent process, but $ENV{'PATH'} is set
explicitly inside the script, so it will have the desired value
mentioned above.

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Reply | Threaded
Open this post in threaded view
|

Re: A question about the adduser.perl file

Jimmy Scott
Quoting steven mestdagh <[hidden email]>:

> On Mon, Nov 28, 2005 at 04:30:25PM +0100, Said Outgajjouft wrote:
> > >$ENV{'PATH'} = "/sbin:/bin:/usr/sbin:/usr/bin";
> > >
> > >and that is where pwd_mkdb will be found.
> > >
> > >
> > Hmm that doesn't answer my question.
> > The answer I am looking for could be one of the following.
> >
> > 1. The PATH environment is local to the process and cannot be tampered
> with.
> >
> > 2. The PATH environment is global but if someone can tampered with it
> > you are screwed
> >     anyway so it doesn't matter that the pwd_mkdb is called using a
> > relative path.
> >
> > 3. The PATH environment however very slim can be tempered with so
> > adduser instead calls
> >    /evilfiles/pwd_mkdb then adding an absolute path sounds like
> > something that should be done.
>
> $ENV is inherited from the parent process, but $ENV{'PATH'} is set
> explicitly inside the script, so it will have the desired value
> mentioned above.
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
>
>

The script is not designed to be run by anyone else as root.
Which is a good idea since it's interactive and tainting is not enabled.

If you really need to add users as part of running a privileged binary
as an unprivileged user, you should use/make an API for this.

passwd(5) is a good place to start looking.

PS: There are much more things than $PATH to worry about.

Kind regards,
Jimmy Scott

----------------------------------------------------------------
This message has been sent through ihosting.be
To report spamming or other unaccepted behavior
by a iHosting customer, please send a message
to [hidden email]
----------------------------------------------------------------