Date: Thu, 06 Sep 2001 13:11:41 +0200 From: Piet Delport <siberiyan@mweb.co.za> To: Kris Kennaway <kris@obsecurity.org> Cc: Giorgos Keramidas <charon@labs.gr>, freebsd-chat@FreeBSD.ORG Subject: Re: Scripts and setuid Message-ID: <20010906131141.B4157@athalon> In-Reply-To: <20010905161408.A80303@xor.obsecurity.org> References: <999708032.3b96558062cd2@webmail.neomedia.it> <20010905204055.A268@athalon> <20010905215258.A4304@hades.hell.gr> <20010906005600.A4157@athalon> <20010905161408.A80303@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--l76fUT7nc3MelDdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, 05 Sep 2001 at 16:14:08 -0700, Kris Kennaway wrote: > On Thu, Sep 06, 2001 at 12:56:00AM +0200, Piet Delport wrote: > > How insecure is it, for example, to have a small setuid script (with > > basic checks in place like overriding PATH to something > > conservative, etc.) that writable only by root, and owned by > > root:bar, with the intent that users in group bar can execute it? >=20 > I forget where I saw it, but there was a tutorial which went through > about a dozen ways to gain privilege using a setuid shell script on > OSes which allow it. It's just too easy. Did some web-digging (thanks Google!) and came up with the following: http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html http://www.softlab.ntua.gr/~taver/security/secur11.html Ouch. So besides numerous already-mentioned tricks for /bin/sh like making symlinks named `-i' and fooling around with the environment, the entire #! script interpreter system is vulnerable to a race condition where the script to be executed is swapped out from underneath the interpreter and replaced with malicious code, after privileges have been raised. Which blows out of the water the idea that even if /bin/sh was too vulnerable, other interpreters might be safe. Apparently the only exception to the above is perl (in the form of suidperl or something), which is even used in the base system (/usr/bin/keyinfo). I've also found the sudo package though, which seems to do achieve roughly what i'm trying here, without the risk of setuid scripts. Neat. So, next question, isn't it a good idea to mention this stuff in the execve(2) (and/or chmod(1)) manpages, to prevent future confusion by similar souls? Is this where i learn groff and join freebsd-doc? :) --=20 Piet Delport <siberiyan@mweb.co.za> Today's subliminal thought is: --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7l1ntzRUP82sZFCcRAstRAJsEmEzbIQJNxcr+9t6MCCvgr0Oz7ACfdxGS zzvr0pkG0gHXLS1/M4XhZ5g= =+tx9 -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010906131141.B4157>