Security hole in RT's setuid handling


#1

After having a fresh RT install print the following at me, I
investigated:

Insecure $ENV{BASH_ENV} while running setuid at /opt/rt/lib/rt/support/mail.pm line 137.

The setuid wrapper for RT doesn't do any environment cleansing.

Hostile users can pass in LD_PRELOAD and the like to perform arbitrary
operations as the RT user.


#2

Folks,
I’m stuck in the wilds of Connecticut until tomorrow evening. If
anyone has a bit of spare time to start to research and put together
a patch for or replacement of the setuid script to deal with the issue
Daniel reported, I’d appreciate it greatly. I’d very much like to get
this fixed in the next few days and get a fix out by the end of the weekend.

    Thanks,
    JesseOn Tue, Aug 22, 2000 at 04:51:22PM -0400, Daniel Hagerty wrote:
After having a fresh RT install print the following at me, I

investigated:

Insecure $ENV{BASH_ENV} while running setuid at /opt/rt/lib/rt/support/mail.pm line 137.

The setuid wrapper for RT doesn't do any environment cleansing.

Hostile users can pass in LD_PRELOAD and the like to perform arbitrary
operations as the RT user.


Rt-devel mailing list
Rt-devel@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-devel

jesse reed vincent — root@eruditorum.orgjesse@fsck.com
pgp keyprint: 50 41 9C 03 D0 BC BC C8 2C B9 77 26 6F E1 EB 91
As I sit here alone looking at green text on a laptop in a mostly bare room listening
to loud music wearing all black, I realize that that it is much less cool in real life :slight_smile:
–Richard Tibbets


#3

Ok. I’ve talked to folks and it is in fact a bug that we’re not clobbering
BASH_ENV. However, I have it on decent authority that LD_PRELOAD is
going to be ignored on a setuid binary anyway.

BASH_ENV will be fixed in 1.0.5.On Tue, Aug 22, 2000 at 04:51:22PM -0400, Daniel Hagerty wrote:

After having a fresh RT install print the following at me, I

investigated:

Insecure $ENV{BASH_ENV} while running setuid at /opt/rt/lib/rt/support/mail.pm line 137.

The setuid wrapper for RT doesn't do any environment cleansing.

Hostile users can pass in LD_PRELOAD and the like to perform arbitrary
operations as the RT user.


Rt-devel mailing list
Rt-devel@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-devel

jesse reed vincent — root@eruditorum.orgjesse@fsck.com
pgp keyprint: 50 41 9C 03 D0 BC BC C8 2C B9 77 26 6F E1 EB 91
<Dr_Memory> the point is that words were exchanged. neurolinguistic
programming will do the rest. they should be showing up at my house
any day now.