FS#20133 - [coreutils] su not reseting PATH environment variable
Attached to Project:
Arch Linux
Opened by aze489 (aze489) - Friday, 09 July 2010, 20:58 GMT
Last edited by Allan McRae (Allan) - Thursday, 29 July 2010, 10:57 GMT
Opened by aze489 (aze489) - Friday, 09 July 2010, 20:58 GMT
Last edited by Allan McRae (Allan) - Thursday, 29 July 2010, 10:57 GMT
|
Details
Description:
I noticed that su is not reseting the PATH environment variable. $ PATH=/evildir:$PATH su Password: # echo $PATH /evildir:/bin:/usr/bin:/sbin:/usr/sbin:/usr/bin/perlbin/site:/usr/bin/perlbin/vendor:/usr/bin/perlbin/core The security implications of this behaviour are easy to understand. If an attacker could overwrite my PATH environment variable, he could become root pretty easily. I searched for a way to fix this behaviour and the only way i found is to use su with the --login option, that way, su overwrite PATH with a safe value and reset environment variables: http://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=blob;f=src/su.c;h=f8f5b6188a54ca70417790afbef47f9924f6f1a2;hb=HEAD#l243 This is not optimal. I seriously people are always thinking about using this option or even realise the consequences of not using it. I tested other linux distributions. debian, ubuntu and gentoo, don't have this problem. (debian and ubuntu use su from the "shadow" package, and it resets PATH using the variables ENV_SUPATH and ENV_PATH defined in /etc/login.defs) Package name: coreutils (latest version) Steps to reproduce: $ PATH=/evildir:$PATH su Password: # echo $PATH |
This task depends upon
Closed by Allan McRae (Allan)
Thursday, 29 July 2010, 10:57 GMT
Reason for closing: Not a bug
Additional comments about closing: Documented upstream behaviour.
Thursday, 29 July 2010, 10:57 GMT
Reason for closing: Not a bug
Additional comments about closing: Documented upstream behaviour.
What are the relative merits of the various su implementations? If the one from shadow is obviously better, then I have happy to remove the one from the coreutils package.
Anyway, if someone gets to have enough permissions on your system that they can change your path, I sure they can get root without having to wait for you to use "su" and run a binary in "/evildir"...
As for the merits of the different su implementations, shadows seems to offer a greater configurability, but i haven't extensively tested it.
Why is su from coreutils shipped with archlinux anyway ? Did someone choose it over shadow's version for a reason ?
Under the same sufficient condition the attacker can capture your root password or anything that you type on keyboard, so he do not need this issue with su :)
dpkg -S /bin/su
login: /bin/su
But still, I don't see the connection between resetting $PATH and compromising local root. Also, I wonder how is it possible to capture root password: which program has to be vulnerable?
@djgera: Are you talking about a "keylogger" that would be injected using LD_PRELOAD to intercept keystrike in applications ? you know that LD_PRELOAD has no effect on setuid binaries, (including su/sudo/X...) right ? so i don't see how someone could capture my root password with such a technique.
On the same hypothetical scenario that a vulnerable program allow write to an arbitrary file (for example .profile) can write an entry to it that launches an untrusted shell, etc.
If the shadow maintainer wants to include the "su" binary from that package, then that can be arranged.