Poor BSDI squid permissions

Date: Thu, 7 May 1998 15:49:07 -0400
From: "Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: BSDI 3.1/Squid Default Owner

I noticed that by default, SQUID is installed on BSDi 3.1 with the
following permissions:

ls > ls -la
total 234
drwxrwxr-x  2 www  www    512 Feb  7  1997 .
drwxrwxr-x  3 www  www    512 Feb  7  1997 ..
-rwxr-xr-x  1 www  www   3635 Jan 20  1997 access-extract-urls.pl
-rwxr-xr-x  1 www  www   4269 Jan 20  1997 access-extract.pl
-rwxr-xr-x  1 www  www   9168 Jan 20  1997 access-summary.pl
-rwxr-xr-x  1 www  www   4153 Jan 20  1997 cache-summary.pl
-rwxr-xr-x  1 www  www  20480 Jan 20  1997 cachemgr.cgi
-rwxr-xr-x  1 www  www   4280 Jan 20  1997 client
-rwxr-xr-x  1 www  www   4448 Jan 20  1997 dnsserver
-rwxr-xr-x  1 www  www  36864 Jan 20  1997 ftpget
-rwxr-xr-x  1 www  www   2388 Jan 20  1997 pinger
-rwxr-xr-x  1 www  www  10235 Jan 20  1997 squid-logs.pl
-rwxr-xr-x  1 www  www    980 Jan 20  1997 squid.daily
-rwxr-xr-x  1 www  www    980 Jan 20  1997 squid.daily.sample
-rwxr-xr-x  1 www  www   1813 Jan 20  1997 squid.weekly
-rwxr-xr-x  1 www  www   1813 Jan 20  1997 squid.weekly.sample
-rwxr-xr-x  1 www  www   1724 Jan 20  1997 start-squid
-rwxr-xr-x  1 www  www   1724 Jan 20  1997 start-squid.sample
-rwxr-xr-x  1 www  www   3068 Jan 20  1997 upgrade-1.0-store.pl

Now I've seen what can happen when you have a httpd.conf owned by the same
user CGI Runs as (all user's cgi has the ability to modify the file)...the
same thing should be possible here.  One could easily modify the
start-squid file, or a configuration file, to set up a root shell or
anything else they care to do; since start-squid is initially run as root,
their modifications will be run as root as well.

It might be a good idea to modify BSDi to install them owned by root, just
as it does with apache.

Thank you,

Jonathan A. Zdziarski
Systems Administrator
Netrail Incorporated
jonz@netrail.net
(888) NET-RAIL