246 Security AT&T was so pleased with the SUID concept that it patented it. The intent was that SUID would simplify operating system design by obviating the need for a monolithic subsystem responsible for all aspects of system secu- rity. Experience has shown that most of Unix's security flaws come from SUID programs. When combined with removable media (such as floppy disks or SyQuest drives), SUID gives the attacker a powerful way to break into otherwise “secure” systems: simply put a SUID root file on a floppy disk and mount it, then run the SUID root program to become root. (The Unix-savvy reader might object to this attack, saying that mount is a privileged command that requires superuser privileges to run. Unfortunately, many manufacturers now provide SUID programs for mounting removable media specifically to ameliorate this “inconvenience.”) SUID isn’t limited to the superuser—any program can be made SUID, and any user can create an SUID program to assume that user’s privileges when it is run (without having to force anybody to type that user’s password). In practice, SUID is a powerful tool for building traps that steal other users’ privileges, as we’ll see later on. The Cuckoo’s Egg As an example of what can go wrong, consider an example from Cliff Stoll’s excellent book The Cuckoo’s Egg. Stoll tells how a group of com- puter crackers in West Germany broke into numerous computers across the United States and Europe by exploiting a “bug” in an innocuous utility, called movemail, for a popular Unix editor, Emacs. When it was originally written, movemail simply moved incoming pieces of electronic mail from the user’s mailbox in /usr/spool/mail to the user’s home directory. So far, so good: no problems here. But then the program was modified in 1986 by Michael R. Gretzinger at MIT’s Project Athena. Gretzinger wanted to use movemail to get his electronic mail from Athena’s electronic post office running POP (the Internet Post Office Protocol). In order to make movemail work properly with POP, Gretzinger found it necessary to install the program SUID root. You can even find Gretzinger’s note in the movemail source code: /* * Modified January, 1986 by Michael R. Gretzinger (Project Athena) * * Added POP (Post Office Protocol) service. When compiled -DPOP * movemail will accept input filename arguments of the form * "po:username". This will cause movemail to open a connection to * a pop server running on $MAILHOST (environment variable). * Movemail must be setuid to root in order to work with POP.
Holes in the Armor 247 * * ... */ There was just one problem: the original author of movemail had never suspected that the program would one day be running SUID root. And when the program ran as root, it allowed the user whose mail was being moved to read or modify any file on the entire system. Stoll’s West Ger- man computer criminals used this bug to break into military computers all over the United States and Europe at the behest of their KGB controllers. Eventually the bug was fixed. Here is the three-line patch that would have prevented this particular break-in: /* Check access to output file. */ if (access(outname,F_OK)==0 && access(outname,W_OK)!=0) pfatal_with_name (outname) It’s not a hard patch. The problem is that movemail itself is 838 lines long—and movemail itself is a minuscule part of a program that is nearly 100,000 lines long. How could anyone have audited that code before they installed it and detected this bug? The Other Problem with SUID SUID has another problem: it give users the power to make a mess, but not to clean it up. This problem can be very annoying. SUID programs are (usually) SUID to do something special that requires special privileges. When they start acting up, or if you run the wrong one by accident, you need a way of killing it. But if you don’t have superuser privileges your- self, you are out of luck: Date: Sun, 22 Oct 89 01:17:19 EDT From: Robert E. Seastrom rs@ai.mit.edu To: UNIX-HATERS Subject: damn setuid Tonight I was collecting some info on echo times to a host that’s on the far side of a possibly flakey gateway. Since I have better things to do than sit around for half an hour while it pings said host every 5 seconds, I say: % ping -t5000 -f 60 host.domain logfile &