2

When the passwd command is executed, it runs as the root user. Can't this be exploited? If not, why?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
ADJ
  • 133
  • 3

3 Answers3

21

"Exploiting" an application means making it do, with the privileges under which it is running, some things that it was not meant to do. passwd runs as root because it needs to read and modify files (in particular /etc/shadow) that can be read and written only by root. The normal behavior of passwd is to alter the password of the user who runs it (passwd is SUID-root so it has the privileges of the root user, but it stills remembers who executed it) and there is code in passwd which enforces that rule. To exploit it, one would need to find a way to bypass that code, i.e. a bug in passwd.

Being SUID-root does not automatically imply being exploitable. Rather, a non-SUID-root application does not have extra privileges so there is no point in exploiting it.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • And exactly since non-SUID applications *don't* run with privileges that the user invoking them already has, those often do not receive the same scrutiny. That does (sometimes) make them easier to exploit. The *hard* case to get right is complex software that needs to run as root. `passwd` is hardly complex in the grand scheme of things. – user Aug 02 '11 at 07:38
2

It can be if there is a buffer overflow in it, or the user has write access to the executable file or any number of similar situations. However security related apps like that tend to get stricter checking than a lot of the rest of the system and it's also a pretty simple application to check compared to most applications. Finally it's a very old application that has been tried and tested for years and so has been updated and matured. I expect there may have been exploitable bugs in earlier versions.

ewanm89
  • 2,043
  • 12
  • 15
1

As others have said: many people have looked at passwd, for many years, over many distributions. Here's an example of an advisory from the '90s. http://www.cert.org/advisories/CA-1993-08.html

I guess you could look at all the different updates and patches, and check against the version of passwd in use. Sysadmins have the ability to change what passwd will accept, and that can help attackers.

Also, passwd is interesting because it's (we hope) strong, and it writes to a (we hope) strong file, but it gets input from users.

Any dump of plain text passwords will show that many users chose hopeless passwords. So, passwd gets lots of attention from people who want it to be stronger, but not so much from people wishing to attack it, because there's already a weak link there.

DanBeale
  • 2,064
  • 3
  • 18
  • 27