/bin/sh: the biggest Unix security loophole (1984) [pdf]

98 points by vitplister 5 days ago

I had the "joy" of watching some guys from Perforce setup a new p4 instance.

They confed /etc/sudoers so that the perforce user can run everything as root without providing a password. I told them that this is really a bad idea, and they pulled up one of their setup guides with "enhanced security hardening".

It ended up with ~35 specific entries for binaries in sudoers, one of them being /usr/sbin/setcap - which allows you to give e.g. the Python interpreter CAP_SETUID, making a privilege escalation to root trivial again.

dehrmann - 2 days ago

We love to praise Unix, but it wasn't built for modern multi-user use. FUSE was an after-thought. So were package managers, and they got added, but they require root. Users aren't sandboxed, so they can see what others are doing. These were just off the top of my head.
- Vogtinator - 2 days ago
  
  For multiple users on the same server it was IMO well designed. Everyone had their ~ and could place whatever libraries/binaries/etc. in there and do whatever they wanted.
  Package managers are way more modern than that and their design does by itself not require root (see pip). You can in fact run most package managers without root, you just won't be able to modify system files. You can use them to install a chroot as regular user, e.g. `zypper --installroot ~/tw install bash`.
  FUSE doesn't really relate to single vs. multi-user AFAICT.
  Users are perfectly sandboxed if you configure the system that way. Depending on the distribution that's even the default.
  - IshKebab - a day ago
    
    Oh yeah? How can I install Clang using Apt without root?
    
    s1gsegv - a day ago
    
    This is largely a package manager problem. There is a way to run Homebrew (the package manager widely used on macOS) on Linux in a rootless mode, and it will install packages into your home directory no problem.
    It’s a good trick to have in your back pocket if you’re given an unprivileged user on a compute node and want to make use of modern tools.
    
    ErikBjare - a day ago
    
    You don't need to install it with apt
    
    IshKebab - a day ago
    
    Indeed but the claim was:
    > You can in fact run most package managers without root
    It is very clear from the context that dehrmann was talking about Linux distro package managers (Apt, Yum, Dnf, Apk, etc.) and as far as I know they all require root, or at least I have never once seen someone use them without root.
    
    ErikBjare - 20 hours ago
    
    I figured most package managers (brew, pip, nix, npm, etc.) are not actually one of the few Linux distro package managers. You listed them almost exhaustively after all (excepting pacman).
    
    IshKebab - 18 hours ago
    
    Right but as I said from the context it was clear he was talking about distro package managers, not language package managers.
    Nix requires root (at least by default). Brew I'll give you - I didn't know you can use it on Linux. Do people actually do that enough that it works reliably?
    
    ErikBjare - 18 hours ago
    
    I don't think that was clear. If they really meant that, which I honestly doubt because it would be so obviously false, then I agree with you.