SUMMARY: GID=0 security considerations

From: Ross.Stocks.INSDRS01@nt.com
Date: Wed Jul 26 1995 - 06:30:16 CDT


Original post:

I deal with two "Fortune 500" companies who supply us with printing
solutions. Both have designed systems to be attached to our corporate
network for the electronic submission of print job requests. Both have
designed their systems to have the primary print operator/controller
log in as root. They design their systems to require root access in
order to perform normal administrative activities such as creating/
deleting/modifying print queues. They do not deny that that is a bad
practice. Possibly they will quit designing their systems that way.

To deal with the immediate situation, one vendor has modified the
administrator account and given it a GID of 0 in the passwd file.
Clearly a UID of 0 would be a no-no. My gut feeling is that setting
the GID to 0 should also be frowned upon.

The end users are basically nontechnical. For the most part they do not
have any advanced technical training either from four or two-year
institutions. They are barely Unix literate.

What are your opinions? How vulnerable does the system become if a
poorly controlled root account has a connection to the corporate WAN?
How much vulnerability does a GID 0 account produce in the hands of a
non-clued user? Averagely clued? Hacker/cracker?

Thanks for your time to ponder the questions. I will summarize if
anyone "me-too's" me (or if any of those expressing opinions say that
they think it's good general knowledge that should be posted regardless.

SUMMARY:

Not a good idea. Given the low level of expertise of the users, they
are probably not a threat for maliciousness, but just the kind of
accidental damage that can occur when non-clued users have root. My
backups will protect the data, and I'll only be out the time and effort.
The real risk is the opening that it would provide to a cracker. One of
the vendors has a beta here, and I am pushing as hard as I can to force
them to change their approach now rather than later. Eventually the
corporate weanies are going to figure this out and require absolute
control of root. I think I am giving the vendors good advice when I
tell them that they need to do this now, not later when forced to do it.

Several people suggested sudo: I have not looked at it yet, but did
refer the vendors to it.

Here is the meat of the responses:

>From blymn@awadi.com.au:

> What you may consider is writing a script that allows them to manage
> the printers in a point-n-shoot manner and then use the free program
> "sudo" to give them root privileges *just* to run this script. If the
> script is written carefully then you should close up most of the
> holes. BTW don't be tempted just to write a suid script, these are
> far to easy to subvert.

>From citicds!cntower!arash@uunet.uu.net:

> One thing that you might
> want to consider is create a root-setuid copy of all the related printing
> programs (make sure none are a shell script). Make those programs
> executable only by the group (ie chmod a-rwx *; chmod g+rx *). Change
> the group ownership to prnadmin group which will be the group consisting
> of those who would do printer administration and place the programs in
> a directory that has the same permisions (ie a-rwx, g+rx).

> This is still risky, but is much better than giving root access to people.

>From Kevin.Sheehan@uniq.com.au:

> There is absolutely no reason to have a printer application run as either
> uid or gid 0.

> gid 0 isn't as bad, but why don't they just change it to "printer/printer"
> and use regular IDs??

Thanks to all for your responses. At least one vendor is interested
enough to have asked for copies of all your responses. I have happily
provided them unedited so that they can appreciate the horror that was
expressed at handling root in this fashion.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:30 CDT