From owner-freebsd-hackers Mon Feb 24 02:10:37 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id CAA11934 for hackers-outgoing; Mon, 24 Feb 1997 02:10:37 -0800 (PST) Received: from obiwan.aceonline.com.au (obiwan.aceonline.com.au [203.103.90.67]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA11816; Mon, 24 Feb 1997 02:05:17 -0800 (PST) Received: from localhost (adrian@localhost) by obiwan.aceonline.com.au (8.8.5/8.8.5) with SMTP id EAA27672; Mon, 8 Jan 1996 04:35:17 +0800 (WST) Date: Mon, 8 Jan 1996 04:35:15 +0800 (WST) From: Adrian Chadd To: Jake Hamby cc: hackers@freebsd.org, auditors@freebsd.org Subject: Re: disallow setuid root shells? In-Reply-To: <199702240549.VAA01306@lightside.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Feb 1997, Jake Hamby wrote: > In light of the recent security review, here's something that I've wondered > about ever since I noticed it. Often, after hacking the root account, a > malicious user will hide a setuid-root shell as a back door to allow future > access. Under Solaris, I've discovered that none of the standard shells > will allow a user to gain root privileges through a setuid root shell! > > The sh and ksh shells will run, but the user will have their normal > privileges. Csh (and interestingly enough tcsh) print "Permission denied" > and exit when run with the setuid bit set. > Since i'm reviewing /bin/sh and /bin/csh, it might make an interesting addition. Anyone see any use for +s'ed shells ? Anything it can do, sudo can do (and sudo AFAIK is much smaller, so less code to screw around with), and I think its a good idea. Suggestions ? > While we're on the topic, I've always wondered about Perl 5's configure > messages about "secure setuid scripts". What exactly makes an OS capable of > hosting "secure" Perl or shell scripts, and what does this have to do with > the /dev/fd directory (that Perl searches for)? > Well, Linux and FreeBSD (from what I've seen) disable set-uid shell scripts by default - too easy to break though playing with the environment, and stuff like that. From what I remember, perl has a c-wrapper that it runs before running a setuid shell script that fixes up the environment and other nice things, then runs the script. By default, if you use the setuid copy of perl as a script interpreter (#!/usr/bin/sperl) and it detects that the script IS setuid root, it will run it. If not, it won't run the script as root. I simply disable it on my systems. > -- Jake > Adrian Chadd