Too Much Sudo Fun

Careful, Alice!

Get It Try It

As demonstrated in 'Sudo Fun' it's possible to hijack use of the Unix sudo to obtain less than optimal results. OS X boxes can namely be compromised in a number of ways.

What's been further demonstrated at this point is that 'Sudo Fun' also works on 'generic' Unix: Ubuntu's 'Dapper Drake' release has been shown to also be susceptible.

'Sudo Fun' is a simple but often overlooked way to 'hijack' a login session, planting devious command directories in $PATH so trojan programs run instead. What's particularly worrying about this threat is that there is no 'black box' means of thwarting it: users must manually check their systems for signs of malfeasance prior to running any sudo command line.

Alice Already Tripped

But this is hardly new territory: the bash variant was discussed years ago - but summarily dismissed by the bash maintainers.

Unfortunately the topic you are bringing up is not really a bug. You are talking about basic security paradigms of unix-like systems. Here on bug-bash is not the right forum for this type of general operating system design type of discussion.

Usually the attack vector is through social engineering attacks. Phishing and other things. This is nothing new.

You would need to trick the non-root user into running your trojan'd command. If you try to trick many people certainly some will fall prey to the attack. But you will find it difficult to exploit this on every person. Most actually are smart enough to avoid these attacks. And trying to exploit this on demand to any one individual is particularly hard.

Again, the bug-bash mailing list is not a good forum for this type of discussion. Unless you have a specific bug related to bash itself or other discussion related to it then I suggest a different place of discussion. Nothing you have suggested would be any different for ash, zsh, ksh, csh, tcsh, or any of the other shells.

Bob

But bash users won't accept this smug dismissal: it's not only the flawed logic, it's the attitude. As they point out, there's no trick involved: the only trick is on bash, not the user. The user sees nothing - not unless all computer work is stopped every five minutes to make sure bash hasn't screwed up again.

For the record.

• This might not be a 'bug' but it's certainly a security concern where bash comes up way short.
• Pretentious phrases like 'basic security paradigms of unix-like systems' don't impress anybody.
• A discussion of how bash puts on the kettle for the Ringwraith is not a 'general operating system design type of discussion' - it's about a specific program running in conjunction with another specific program (sudo) and how to rectify the cock-up that's taken place.

Yesterday's Homework, Today's Assignments

The article on 'Sudo Fun' left the implementation of the OS X specific exploit to the reader. For those who haven't yet discovered it, here it is.

defaults write ~/.MacOSX/environment Shell /bin/bash

defaults automatically creates ~/MacOSX if it doesn't already exist. The clever black hat would namely attack on as many fronts as possible all at once to ensure success: if one remains undiscovered the attack still succeeds.

Giving the user that much more to worry about: to manually check each and every attack vector all the time for signs of intrusion. This can't be part of the 'basic security paradigms of unix-like systems', or categorised as a 'general operating system design type of discussion', and it's certainly not what ken and dmr had in mind.

The bash maintainers need to get down off their hobby horses, stop all the blogging, figure out a solution, and write some code.

CLIX 1.8

CLIX 1.8 has facilities to thwart path hijacking. It's available for download now. It's free.

Resolve Path

ACP users also have a new text service: they can see where things are going before they get there.

sudo find /Developer \( -name *.lproj -and \! \( -name English.lproj -or -name en.lproj -or -name en_AU.lproj -or -name en_CA.lproj -or -name en_GB.lproj \) \) -exec rm -rf {} \;

/usr/bin/sudo /usr/bin/find /Developer \( -name *.lproj -and \! \( -name English.lproj -or -name en.lproj -or -name en_AU.lproj -or -name en_CA.lproj -or -name en_GB.lproj \) \) -exec /bin/rm -rf {} \;

Credit and thanks to Alpha, Bruner, GC, Yan, and all the rest at the forum for pounding the pavement and tweaking the code.

See Also
ACP: ACP Text Services
Learning Curve: Sudo Fun
Industry Watch: Resolve Path