Set-UID is an important security mechanism in Unix-based operating systems. When a Set-UID program is run, it assumes the owners privileges. For example, if the programs owner is root, then when anyone runs this program, the program gains the roots privileges during its execution. Set-UID allows us to do many interesting things, e.g., regular users can update their passwords by running the Set-UID passwd program. Unfortunately, Set-UID could also be the culprit for many bad things, and in this problem we will understand some of its potential security problems. For this problem, you will need to have root access on a system with Linux OS. If you dont have root access on a Linux system, you need to create one such environment by installing a Linux OS in a virtual machine based on the instructions in the Syllabus under Special Software Installation Requirements.

(a) Figure out why the passwd command needs to be a Root Set-UID program. What will happen if it is not? Login as a regular user and copy this command to your own home directory (usually passwd resides in /usr/bin); the copy will not be a Set-UID program. Run the copied program, and observe what happens. Describe your observations and provide an explanation for what you observed.

(b1) zsh is an older shell, which unlike the more recent bash shell does not have certain protection mechanisms incorporated. Login as root, copy /bin/zsh to /tmp, and make it a Set-UID program with permissions 4755. Then login as a regular user, and run /tmp/zsh. Will you get root privileges? Please describe and explain your observation. If you cannot find /bin/zsh in your operating system, please run the following command as root to install it: For Fedora: yum install zsh For Ubuntu: apt-get install zsh

(b2) Login as root and instead of copying /bin/zsh, this time, copy /bin/bash to /tmp, make it a Set-UID program. Login as a regular user and run /tmp/bash. Will you get root privilege? Please describe and provide a possible explanation for your observation.

(c1) In most Linux distributions (Fedora and Ubuntu included), /bin/sh is actually a symbolic link to /bin/bash. To use zsh, we need to link /bin/sh to /bin/zsh. The following instructions describe how to change the default shell to zsh: login as root cd /bin rm sh ln s zsh sh

The system(const char *cmd) library function can be used to execute a command within a program. The way system(cmd) works is to invoke the /bin/sh program, and then let the shell program to execute cmd. Because of the shell program invoked, calling system() within a Set-UID program is extremely dangerous. This is because the actual behavior of the shell program can be affected by environment variables, such as PATH; these environment variables are under users control. By changing these variables, malicious users can control the behavior of the Set-UID program. The Set-UID program below is supposed to execute the /bin/ls command; however, the programmer only uses the relative path for the ls command, rather than the absolute path: int main() { system("ls"); return 0; } 4 Login as root, create a new directory /tmp1 and set it to have the same permissions as /tmp, write this program into a file named bad_ls.c, compile it (using gcc o bad_ls bad_ls.c) and copy the executable as a Set-UID program into /tmp1 with permissions 4755. Is it a good idea to let regular users execute the /tmp1/bad_ls program (owned by root) instead of /bin/ls ? Describe an attack by which a regular user can manipulate the PATH environment variable in order to read the /etc/shadow file. Note: this part is not related to part (b), which means that you do not need to have zsh or bash copied into /tmp1. In other words, zsh is not available as a SetUID program anymore.

(c2) Now, change /bin/sh so it points back to /bin/bash, and repeat the above attack. Can you still get the root privilege and list the contents of the /etc/shadow file? Describe and explain your observations.

Note: in this part, unlike in (b2), bash is not available as a SetUID program.

(c3) Specify what Linux distribution you used for Problem 2 (distribution & kernel version). You can find this information by running the command uname a