Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <663a0880-a3d2-4a7d-b85d-3d0cc31cc021@oracle.com>
Date: Wed, 8 Jan 2025 15:31:03 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: "/bin/sh: The Biggest Unix Security Loophole" paper from 1984

The Unix Historical Society has recently received and shared a copy
of a Bell Labs technical report from 1984 by James Allen titled
"/bin/sh: The Biggest Unix† Security Loophole" - the scanned doc is at:
https://www.tuhs.org/Archive/Documentation/TechReports/Bell_Labs/ReedsShellHoles.pdf

While this report reveals no real surprises 40 years later, it's conclusion
is advice that wouldn't sound out of place today:

    Setuid programs (with the sole exception of the su command) should not
    execute shells.  Further, they should not execute any program whose
    name does not begin with a slash.  In all cases they should check their
    arguments *very* carefully.  They should not call any of these dangerous
    subroutines:

       execlp
       execvp
       popen
       system

    The last two of these (as we saw above) can involve execution of extra
    shells not intended by the programmer.  Each call to any of the above,
    or to any other form of exec should be preceded by a setuid(getuid())
    if at all possible.

    The typical UNIX system has too many setuid programs.

This should serve as additional reference for how long we've known about
and had to fix shell injections and similar bugs.  Fortunately when
discussing other classes of bugs, it's prediction that "it is very unlikely
that UNIX will ever be immune to this kind of loophole" has not stood the
test of time as well.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

† UNIX was a trademark of AT&T Bell Laboratories when that report was written.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.