Permissions
One technique that attackers use to gain root privilege is to first become a semiprivileged user such as bin or sys. Such semiprivileged users often own the directories in which root-owned files live. By way of example, consider the following:
drwxr-sr-x 11 bin 2560 Sep 22 18:18 /etc/mail -rw-r--r-- 1 root 8199 Aug 25 07:54 /etc/mail/sendmail.cf
Here, the /etc/sendmail.cf configuration file is correctly writable only by root. But the directory in which that file lives is owned by bin and writable by bin. Having write permission on that directory means that bin can rename and create files. An individual who gains bin permission on this machine can create a bogus sendmail.cf file by issuing only two simple commands:
%mv /etc/mail/sendmail.cf /etc/mail/...%mv /tmp/sendmail.cf /etc/mail/sendmail.cf
The original sendmail.cf is renamed
... (a name that is not likely to be randomly
noticed by the real system administrator). The bogus
/tmp/sendmail.cf then replaces the original:
drwxr-sr-x 11 bin 2560 Sep 22 18:18 /etc/mail -rw-r--r-- 1 bin 4032 Nov 16 00:32 /etc/mail/sendmail.cf
Unix pays less attention to semiprivileged users than it does root. The user root, for example, is mapped to nobody over NFS, whereas the user bin remains bin. Consequently, the following rules must be observed to prevent malicious access to root-owned files:
All directories in the path leading to a root-owned file must be owned by root and writable only by root. This is true for all files, not just ...
Get Sendmail, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
