RodKnowlton
MIS
- Apr 26, 2000
- 1,005
I wrote this up for work, and thought it might be helpful to post it here as well.
- Problem
Entering "e" at the AIX command line can lead to destructive renaming of files and directories.
Root Cause
The bos.INed (INed Editor) package contains a file manager that is easily launched accidentally and can rename files without confirmation.
Description
The INTERACTIVE TEN/PLUS File Manager (IT/PFM), part of the INed Editor package, is launched by the command "e". Because of this overly simplistic name, it can easily be launched, either by an accidental return or space after an initial "e" on the command line or by an excess "e<return>" input to an exiting program, which is then buffered until the shell executes it.
Once launched, the IT/PFM presents a two paned text window, with the narrower pane on the left containing a listing of the current directory (by default). The cursor is positioned at the beginning of the first filename in the listing. At this point, any typing followed by a carriage return will result in the immediate renaming of the file at the cursor and advancement of the cursor to the next filename in the list. IT/PFM does not ask for confirmation before renaming the file, nor does it provide any feedback that the renaming has occurred.
A user typing ahead in anticipation of the prompts of the program they intended to launch will, instead, rename a file for each input they had typed. Users suddenly finding themselves in the IT/PFM could also cause damage while trying to find a way to exit the program.
Risk
High, especially if working as root.
Solutions
[ul]
[li]Remove the execute permission from the IT/PFM binary ([tt]chmod -x /usr/bin/e[/tt]). This is recommended, as the execute permission can be restored any time the file manager is required.[/li]
[li]Remove the bos.INed package (this is probably not practical, as there is no way of knowing what applications may depend on its presence).[/li]
[/ul]
Mitigations
If it is determined that the IT/PFM binary must remain executable, the following precautions can help reduce the risk of accidental damage.
[ul]
[li]Only work as root when absolutely necessary[/li]
[li]Never "type blind" when working as root. Wait to see all prompts before answering them.[/li]
[li]Install sudo, and restrict root execution privileges to the minimum necessary for job function. (Highly Recommended, regardless of this issue)[/li]
[/ul]
-
Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+
Entering "e" at the AIX command line can lead to destructive renaming of files and directories.
Root Cause
The bos.INed (INed Editor) package contains a file manager that is easily launched accidentally and can rename files without confirmation.
Description
The INTERACTIVE TEN/PLUS File Manager (IT/PFM), part of the INed Editor package, is launched by the command "e". Because of this overly simplistic name, it can easily be launched, either by an accidental return or space after an initial "e" on the command line or by an excess "e<return>" input to an exiting program, which is then buffered until the shell executes it.
Once launched, the IT/PFM presents a two paned text window, with the narrower pane on the left containing a listing of the current directory (by default). The cursor is positioned at the beginning of the first filename in the listing. At this point, any typing followed by a carriage return will result in the immediate renaming of the file at the cursor and advancement of the cursor to the next filename in the list. IT/PFM does not ask for confirmation before renaming the file, nor does it provide any feedback that the renaming has occurred.
A user typing ahead in anticipation of the prompts of the program they intended to launch will, instead, rename a file for each input they had typed. Users suddenly finding themselves in the IT/PFM could also cause damage while trying to find a way to exit the program.
Risk
High, especially if working as root.
Solutions
[ul]
[li]Remove the execute permission from the IT/PFM binary ([tt]chmod -x /usr/bin/e[/tt]). This is recommended, as the execute permission can be restored any time the file manager is required.[/li]
[li]Remove the bos.INed package (this is probably not practical, as there is no way of knowing what applications may depend on its presence).[/li]
[/ul]
Mitigations
If it is determined that the IT/PFM binary must remain executable, the following precautions can help reduce the risk of accidental damage.
[ul]
[li]Only work as root when absolutely necessary[/li]
[li]Never "type blind" when working as root. Wait to see all prompts before answering them.[/li]
[li]Install sudo, and restrict root execution privileges to the minimum necessary for job function. (Highly Recommended, regardless of this issue)[/li]
[/ul]
Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+