What was the configuration error?
Dr. Frederick B. Cohen (fc@all.net)
Wed, 14 Jun 1995 05:07:21 -0400 (EDT)
Since enough of you have asked, here we go:
The error was that I didn't follow my own directions for setting up the
setUID area on the server. Instead, I made the www user the same ID as
another user, I made /bin/sh in the setUID area executable by the world,
and I made /bin/sh in the setUID area owned by the www user. Having
done all three of the things you have to do to make a program executable
by an outsider, the program became executable.
The setUID environment left no way to expand the privilege, so even
after not following directions and doing something extraordinarily
stupid, the protection still held, but in order to protect against
people as dumb as the designers, we made a change by removing the
unnecessary execution capability of the get-only server.
As a side issue, and one that I think is interesting and important, we
are now developing a "POST-only" server to go along with the get-only
server. The philosophy is that the environment suitable for outsiders
to execute programs is much different from the one suitable for them to
read files. By separating these environments, I think we can get far
greater security while retaining the same functionality.
--
-> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server
-> Free: Test your system's security (scans deeper than SATAN or ISS!)
---------------------- both at URL: http://all.net ----------------------
-> Read: "Protection and Security on the Information Superhighway"
John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
-------------------------------------------------------------------------
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236