CS155: Computer Security Spring 2004Programming Project #2Due: Thursday, May 13th, 2004, 11:59 pm1 Introduction1.1 SummaryIn this project, you will write Josh, the journaling operator shell. Josh is a setuid-root shell thatallows users to undertake a subset of root’s capabilities.Your starting point is OSH, a minimal shell developed by Gunnar Ritter. You may work alone, orin pairs. You should not collaborate with others outside your group.You will use the Boxes system again. Remember to test your Josh in a closedb ox. This as-signment specification is quite long, but much of it is intended to clarify points of c onfusion raisedby previous years’ students. Please be sure to read it carefully before beginning to code.1.2 The ProblemAs discussed in class, the classical Unix permissions model does not manage privilege delegationeffectively. To perform routine administrative tasks (such as cleaning out the /tmp directory),one must possess the root password, and can therefore perform other, undesirable actions (suchas reading users’ mail). This limitation manifests itself most acutely in large Unix installations,where there are typically many administrators tasked with various duties. Finer granularity ofaccess is required for such systems, along with the ability to correctly log the important events forpost-attack analysis.Various systems have been devised to overcome this limitation, and allow unprivileged users to un-dertake some subset of root’s capabilities. A commonly-used example is Sudo (http://www.sudo.ws/).We will take an approach more like that taken by OSH, the Operator Shell by Michael Neuman.The site for OSH has been mirrored on the class website at http://cs155.stanford.edu/osh.html.You might want to read the SANS III conference paper linked from the OSH home page, andmirrored on the class website at http://cs155.stanford.edu/osh.sansIII.ps. The paper is good toget some ideas on how to implement the required functionality for our project - however it is notmeant to be a design doc.1.3 Our SolutionWe will develop a new shell, called Josh - the Journaling operator shell - which will enable privilegedelegation in the Unix environment.1In Unix, the command interpreter is not part of the kernel, and is in fact modular and inter-changeable. The command interpreter program is called a shell; it reads user requests, parsesthem, and makes the system calls required to fulfill the requests on the user’s behalf. SeventhEdition Unix (Jan 1979) shipped with the Bourne Shell, /bin/sh; 2BSD (May 1979) shipped withBill Joy’s C Shell (/bin/csh). The KornShell (/bin/ksh) was first released in 1983 and was for sometime an at-cost add-on for Unix System V.Today, people typically use either bash, a Bourne-shell reimplementation, or tcsh, a C Shell en-hancement.None of these shells is designed to be run setuid-root.1.4 Starter CodeWriting a shell is a non-trivial project in itself. Besides the fork-exec-openpipe infrastructure re-quired for implementing shell pipelines, there’s a considerable amount of parsing and bookkeepingthat must be taken care of. To keep you from having to start your project by implementing a shell -an excellent CS193u project, by the way - we provide you with OSH, the Old Shell (no relation tothe Operator Shell described above). OSH is a feature-for-feature-compatible reimplementation ofthe Sixth Edition shell (May 1976) by Gunnar Ritter (http://omnibus.ruf.uni-freiburg.de/∼gritter).While OSH lacks some features we expect in modern shells (notably backticks and control struc-tures) it packs quite a few features into 837 lines of C. (Bash is about 100,000 lines.)1.5 Recommended ReadingFor some practical ideas about security dos and don’ts, read David Wheeler’s “Secure Programmingfor Unix and Linux HOWTO” (http://www.dwheeler.com/secure-programs/), which is linkedfrom the course website.For Unix programming in general, there is no better source than W. Richard Stevens’ Ad-vanced Programming in the UNIX Environment (Addison-Wesley, 1992, ISBN 0- 201-56317-7).Go buy it now.You might also want to refer to the source of various software components with which Joshwill interact, such as the Linux kernel (http://www.kernel.org/) or the GNU C Library(http://www.gnu.org/software/libc/).1.6 Using BoxesWe retain the Boxes distribution from pp1, as installed on the Linux machines in Sweet Hall. Sinceyou will be doing Unix systems programming this time, we make available the manpages-devpackage, omitted in the Boxes distribution, which contains man pages for Linux syscalls and Clibrary routines. You can obtain this package from the CS 155 Website athttp://cs155.stanford.edu/manpages-dev_1.48-2_all.deband install it in Boxes by typing, as root,2box:~# dpkg -i /path/to/manpages-dev_1.48-2_all.deb(where you don’t type the root prompt box:∼#and where the actual path to the package replaces/path/to).Note that the filesystem image contains the Expect utility (http://expect.nist.gov/), to al-low you to test your shell out non-interactively, if you wish.The wrapper interface to Boxes remains the same. You should check out the FAQ in theBoxes distribution, and the additional information posted to the newsgroup for basic informationon getting Boxes up and running.2 What you need to doNow we des cribe the tasks you must undertake in creating osh. Of course, you need not stick tothe order in which we present them.2.1 Step One : Secure the PerimeterThough OSH, your s tarter shell, is good code, it was not written to be run setuid root. You shouldstart by familiarizing yourself with the structure of the shell, auditing it with security in mind,and thinking about how best to extend it.One thing to note: OSH currently searches the working directory for a program b e foresearching the path for the program. This is dangerous (e.g., in the case when /tmp containsa malicious executable named “ls”). You should modify OSH so it executes programs in theworking directory only if $PATH includes a “.” or an empty component, or if a program is invokedas, e.g., ./program.Another thing to note: Previous years’ students have identified a buffer overflow in substvars(), abuffer overflow in striparg(), an array overflow in pcmd(), and other questionable code elsewhere. Besure either to audit carefully or otherwise to take steps to mitigate the effects of the vulnerabilitiesin OSH.2.2 Step Two : ExecutablesJosh allows users to run some programs that otherwise they could not.
View Full Document
Unlocking...