Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 06 Sep 2001 13:11:41 +0200
From:      Piet Delport <siberiyan@mweb.co.za>
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        Giorgos Keramidas <charon@labs.gr>, freebsd-chat@FreeBSD.ORG
Subject:   Re: Scripts and setuid
Message-ID:  <20010906131141.B4157@athalon>
In-Reply-To: <20010905161408.A80303@xor.obsecurity.org>
References:  <999708032.3b96558062cd2@webmail.neomedia.it> <20010905204055.A268@athalon> <20010905215258.A4304@hades.hell.gr> <20010906005600.A4157@athalon> <20010905161408.A80303@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--l76fUT7nc3MelDdI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, 05 Sep 2001 at 16:14:08 -0700, Kris Kennaway wrote:
> On Thu, Sep 06, 2001 at 12:56:00AM +0200, Piet Delport wrote:
> > How insecure is it, for example, to have a small setuid script (with
> > basic checks in place like overriding PATH to something
> > conservative, etc.) that writable only by root, and owned by
> > root:bar, with the intent that users in group bar can execute it?
>=20
> I forget where I saw it, but there was a tutorial which went through
> about a dozen ways to gain privilege using a setuid shell script on
> OSes which allow it.  It's just too easy.

Did some web-digging (thanks Google!) and came up with the following:

http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
http://www.softlab.ntua.gr/~taver/security/secur11.html

Ouch.

So besides numerous already-mentioned tricks for /bin/sh like making
symlinks named `-i' and fooling around with the environment, the entire
#!  script interpreter system is vulnerable to a race condition where
the script to be executed is swapped out from underneath the interpreter
and replaced with malicious code, after privileges have been raised.

Which blows out of the water the idea that even if /bin/sh was too
vulnerable, other interpreters might be safe.

Apparently the only exception to the above is perl (in the form of
suidperl or something), which is even used in the base system
(/usr/bin/keyinfo).

I've also found the sudo package though, which seems to do achieve
roughly what i'm trying here, without the risk of setuid scripts.  Neat.

So, next question, isn't it a good idea to mention this stuff in the
execve(2) (and/or chmod(1)) manpages, to prevent future confusion by
similar souls?  Is this where i learn groff and join freebsd-doc? :)

--=20
Piet Delport <siberiyan@mweb.co.za>
Today's subliminal thought is:

--l76fUT7nc3MelDdI
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7l1ntzRUP82sZFCcRAstRAJsEmEzbIQJNxcr+9t6MCCvgr0Oz7ACfdxGS
zzvr0pkG0gHXLS1/M4XhZ5g=
=+tx9
-----END PGP SIGNATURE-----

--l76fUT7nc3MelDdI--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010906131141.B4157>