LINUX TIPS AND TRICKS --- October 27, 2000

Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters

*********************************************************************

Shells and Security
by Danny Kalev

Last week, we learned how to launch a command shell from a program 
using the system() and popen() functions. This week's lesson entails 
security issues pertaining to these functions and shows how to minimize 
risks associated with their usage. 

The main problem with launching shells is that attackers might execute 
shell commands riding on the system() or popen() function calls. An 
attacker could include special metacharacters and flags in the command 
string being passed to the shell for execution. (A metacharacter is a 
sequence of one or more characters that the shell interprets as a 
directive with a special meaning.) For example, the bash, csh, and ksh 
shells treat the symbol >> as an instruction to append output to a 
file; or the symbol ; is construed as a command separator, which allows 
grouping of several commands in one line. Allowing the users to compose 
a command string that may contain metacharacters is highly dangerous. 
Even running the shell under an account with limited privileges, users 
can still collect sensitive information by listing files in the current 
directory or exploring network configuration as they pass the following 
string to a shell. For example:

   ls;finger

Another issue of concern is the ability to manipulate the Input Field 
Separator (IFS) and environment variables such as $HOME and $PATH to 
launch malicious programs. Finally, attackers can exploit the infamous 
buffer overflow bug, which we discussed several weeks ago, by typing a 
very long string. 

How can you minimize the risks involved in launching shells from a 
program? 

    * Don't use system() and popen() in any program or script publicly 
      accessible on your Web host.
    * It's strongly advised that you don't use these functions in SGID 
      and SUID programs and scripts.
    * Limit the length of an input string so that it doesn't cause a 
      buffer overflow. Finally, 
    * Screen the input string and remove any metacharacters from it 
      before you pass it to system() or popen().

Remember, in most cases you can give users the ability to make their 
selection from menus, check boxes, radio lists, etc..., and let your 
program compose a safe command string instead accepting an input string 
directly from a user.


RESOURCES

Enter the secure shell 
Turn remote login from security hole to security strength with ssh 
http://www.itworld.com/jsw/lintps_nl/swol-02-1998/swol-02-security.html

Ask the Geek 
The Geek knows all, tells all 
http://www.itworld.com/jlw/lintps_nl/lw-2000-07/lw-07-geek_1.html

More on mastering the secure shell 
We take you through the process of installing and configuring ssh -- 
command by command -- and list all the options you might want to change 
http://www.itworld.com/jsw/lintps_nl/swol-03-1998/swol-03-security.html


COMMUNITY DISCUSSION

Hone your Linux development skills, share your expertise, and put out 
the occasional call for help in this discussion for programmers of all 
levels. Moderated by Danny Kalev.

http://www.itworld.com/jump/lindsk_nl/forums.itworld.com/
webx?14@@.ee6b652/175!skip=122

Linux is making its presence felt on the desktop, but is it stable and 
polished enough for prime time? Talk distributions, window managers, 
themes, and desktop politics here.

http://www.itworld.com/jump/lindsk_nl/forums.itworld.com/
webx?14@@.ee6b663/235!skip=190 
 
*********************************************************************

About the author
----------------
Danny Kalev is a system analyst and software engineer with more
than 10 years of experience, specializing in C++ and
object-oriented analysis and design on various platforms including
VMS, DOS, Windows, Unix, and Linux. His technical interests involve
code optimization, networking, and distributed computing. He is
also a member of the ANSI C++ standardization committee and the
author of ANSI/ISO C++ Professional Programmer's Handbook (Que,
1999). Contact him at linuxnl@excite.com.
 
*********************************************************************

CONTACTS

* For editorial comments, write Andrew Santosusso, Associate Editor, 
Newsletters at: andrew_santosusso@itworld.com
* For advertising information, write Dan Chupka, Account Executive at:
dan_chupka@itworld.com
* For recruitment advertising information, write Jamie Swartz, Eastern
Regional Sales Manager at: jamie_swartz@itworld.com or Paul Duthie,
Western Regional Sales Manager at: paul_duthie@itworld.com
* For all other inquiries, write Jodie Naze, Product Manager,
Newsletters at: jodie_naze@itworld.com

*********************************************************************

Copyright 2000 ITworld.com, Inc., All Rights Reserved. 

http://www.itworld.com
