Security Problem: Privilege escalation

[GoogleCodeExporter]

Here's how to run arbitrary code as a different user on a multiuser machine:
1. Lets assume (not unreasonably) that Alice is running Crunchy on the
computer.
2. Ivan comes along and logs into his account on the same computer
3. Ivan opens up http://127.0.0.1:8001 in his browser.
4. Ivan executes some code.
5. The code is executed sing Alice's user credentials.

Why is this a problem?

There are two reasons:
1. This kind of multiuser system is quite common - any thin client server
works this way. In particular, Edubuntu (which is probably *the* Linux
distro most relevant to Crunchy) supports this out of the box. I know of at
least two schools with this setup.

2. Ivan need not necessarily be another "human" user. Unix systems often
execute unprivileged daemon programs as the "nobody" user - it is assumed
that this user's privileges are so low that they cannot do any damage.
Crunchy breaks this assumption.

What can we do about it?

the only solution I can think of is to require each and every http access
to the crunchy server to be authenticated.

Original issue reported on code.google.com by johannes...@gmail.com on 9 Jun 2008 at 12:57

[GoogleCodeExporter]

I think we should document this in the FAQ, as well as putting a note on the 
starting
page for Crunchy. Something like:

This version of Crunchy is intended to be used by a single user.  If Crunchy is
running on a multi-user system, everyone can access it and have commands 
executed
from the account from which Crunchy was launched.

Original comment by andre.ro...@gmail.com on 9 Jun 2008 at 1:09

[GoogleCodeExporter]

This would be a slight help, but all modern systems are multi-user. It doesn't 
matter
whether the other users are "human" or not. All modern unixes run unpriveleged
process using various users, and it is assumed that they cannot execute code as 
a
user with higher priviliges. This problem probably doesn't affect windows as 
much -
as far as I know "consumer" windows doesn't use different users in this way.

If we tell people not to use Crunchy in a multi-user environment then we are
effectively blocking out all unix users. It doesn't matter of they are the only 
user
logged in to the user interface, we are still opening up a massive security 
hole.

Original comment by johannes...@gmail.com on 9 Jun 2008 at 1:55

[GoogleCodeExporter]

I can confirm that the same problem is present when running Windows.  I had 
Crunchy
running under one user, switched user and was able to connect, etc....

Original comment by andre.ro...@gmail.com on 9 Jun 2008 at 8:08

[GoogleCodeExporter]

Tao has implemented a solution that is likely to be completely satisfactory.  
Keeping
the issue alive until other aspects are taken care of (e.g. password manager, 
storing
password in a separate file - and not in Crunchy's code, etc.).  Also changing 
the
label to release 1.0.

Original comment by andre.ro...@gmail.com on 12 Jun 2008 at 2:48

• Added labels: Milestone-Release1.0

[GoogleCodeExporter]

All remaining issues listed in comment 4 have been taken care of.

Original comment by andre.ro...@gmail.com on 28 Sep 2008 at 4:59

• Changed state: Fixed