CS155: Computer Security Spring 2003Project #2Due: Thursday, May 15th, 2003.Summary In this project, you will write Josh, the journaling operator shell. Josh is asetuid-root shell that allows users to undertake a subset of root’s capabilities.Your starting point is OSH, a minimal shell developed by Gunnar Ritter.You may work alone, or in pairs. You should not collaborate with others outside yourgroup.You will use the Boxes system again. Remember to test your Josh in a closedbox.This assignment specification is quite long, but much of it is intended to clarify pointsof confusion raised by previous years’ students. Please be sure to read it carefullybefore beginning to code.The Problem As discussed in class, the classical Unix permissions model does not manageprivilege delegation effectively. To perform routine administrative tasks (such as clean-ing out the /tmp directory), one must possess the root password, and can thereforeperform other, undesirable actions (such as reading users’ mail).This limitation manifests itself most acutely in large Unix installations, where thereare typically many administrators tasked with various duties.Various systems have been devised to overcome this limitation, and allow unprivilegedusers to undertake some subset of root’s capabilities. A commonly-used example isSudo (http://www.sudo.ws/).We will take an approach more like that taken by OSH, the Operator Shell (http://www.engarde.com/~mcn/osh.html, mirrored on the class Website at http://cs155/osh.html). You might want to read the SANS III conference paper linked from theOSH home page, and mirrored on the class Website at http://cs155/osh.sansIII.ps.Our Solution We will develop a new shell, called Josh — the Journaling operator shell —which will enable privilege delegation in the Unix environment.In Unix, the command interpreter is not part of the kernel, and is in fact modularand interchangeable. The command interpreter program is called a shell; it readsuser requests, parses them, and makes the system calls required to fulfill the requestson the user’s behalf. Seventh Edition Unix (Jan 1979) shipped with the Bourne Shell,/bin/sh; 2BSD (May 1979) shipped with Bill Joy’s C Shell (/bin/csh). The KornShell(/bin/ksh) was first released in 1983 and was for some time an at-cost add-on for UnixSystem V.1Today, people typically use either bash, a Bourne-shell reimplementation, or tcsh, aC Shell enhancement.None of these shells is designed to be run setuid-root.Starter Code Writing a shell is an excellent example of a Simple Matter of Programming(http://tuxedo.org/jargon/html/entry/SMOP.html). Besides the fork-exec-open-pipe infrastructure required for implementing shell pipelines, there’s a considerableamount of parsing and bookkeeping that must be taken care of.To keep you from having to start your project by implementing a shell — an excel-lent CS193u project, by the way — we provide you with OSH, the Old Shell (no re-lation to the Operator Shell). OSH is a feature-for-feature-compatible reimplementa-tion of the Sixth Edition shell (May 1976) by Gunnar Ritter (http://omnibus.ruf.uni-freiburg.de/~gritter).While OSH lacks some features we expect in modern shells (notably backticks andcontrol structures) it packs quite a few features into 837 lines of C. (Bash is about100,000 lines.)Recommended Reading For some practical ideas about security dos and don’ts, readDavid Wheeler’s “Secure Programming for Unix and Linux HOWTO” (http://www.dwheeler.com/secure-programs/), which is linked from the course Website.For Unix programming in general, there is no better source than W. Richard Stevens’Advanced Programming in the UNIX Environment (Addison-Wesley, 1992, ISBN 0-201-56317-7). Go buy it now.You might also want to refer to the source of various software components with whichJosh will interact, such as the Linux kernel (http://www.kernel.org/) or the GNUC Library (http://www.gnu.org/software/libc/).Using Boxes We retain the Boxes distribution from pp1, as installed on the Linux machinesin Sweet Hall. Since you will be doing Unix systems programming this time, we makeavailable the manpages-dev package, omitted in the Boxes distribution, which containsman pages for Linux syscalls and C library routines. You can obtain this package fromthe CS 155 Website athttp://cs155/manpages-dev_1.48-2_all.deband install in in Boxes by saying, as root,box:~# dpkg -i /path/to/manpages-dev_1.48-2_all.deb(where you don’t type the root prompt “box:~#” and where the actual path to thepackage replaces “/path/to”).Note that the filesystem image contains the Expect utility (http://expect.nist.gov/), to allow you to test your shell out non-interactively, if you wish.2The wrapper interface to Boxes remains the same. You should check out the FAQ inthe Boxes distribution, and the additional information posted to the newsgroup forbasic information on getting Boxes up and running.Step One: Secure the Perimeter Now we describe the tasks you must undertake in cre-ating Josh. Of course, you need not stick to the order in which we present them.Though OSH, your starter shell, is good code, it was not written to be run setuid root.You should start by familiarizing yourself with the structure of the shell, auditing itwith security in mind, and thinking about how best to extend it.One thing to note: OSH currently searches the working directory for a program beforesearching the path for the program. This is dangerous (e.g., in the case when /tmpcontains a malicious executable named “ls”). You should modify OSH so it executesprograms in the working directory only if $PATH includes “.” or an empty component,or if a program is invoked as, e.g., “./program”.Another thing to note: Previous years’ students have identified a buffer overflow insubstvars(), a buffer overflow in striparg(), an array overflow in pcmd(), and otherquestionable code elsewhere. Be sure either to audit carefully or otherwise to takesteps to mitigate the effects of vulnerabilities in OSH.Step Two: Executables Josh allows users to run some programs that otherwise they couldnot. The file that controls this behavior is /etc/josh_exec. This file (which shouldbe installed root:root, mode 600) has entries, one per line, in the following format:userid:progpath(Without the initial indentation.) Here, “userid” is a user’s login name; progpath issome absolute path to a program. This path must be absolute in that it must beginwith
View Full Document
Unlocking...