From owner-freebsd-chat Thu Sep 6 4:11:46 2001 Delivered-To: freebsd-chat@freebsd.org Received: from hollowman.mweb.co.za (hollowman.mweb.co.za [196.2.46.15]) by hub.freebsd.org (Postfix) with ESMTP id 48CCE37B405 for ; Thu, 6 Sep 2001 04:11:40 -0700 (PDT) Received: from siberiyan.dyndns.org ([196.30.181.18]) by hollowman.mweb.co.za (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0GJ80011CN3BHD@hollowman.mweb.co.za> for freebsd-chat@FreeBSD.ORG; Thu, 06 Sep 2001 13:11:37 +0200 (SAST) Received: by siberiyan.dyndns.org (sSMTP sendmail emulation); Thu, 06 Sep 2001 13:11:41 +0200 Date: Thu, 06 Sep 2001 13:11:41 +0200 From: Piet Delport Subject: Re: Scripts and setuid In-reply-to: <20010905161408.A80303@xor.obsecurity.org> To: Kris Kennaway Cc: Giorgos Keramidas , freebsd-chat@FreeBSD.ORG Message-id: <20010906131141.B4157@athalon> MIME-version: 1.0 Content-type: multipart/signed; boundary=l76fUT7nc3MelDdI; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-disposition: inline User-Agent: Mutt/1.3.21i X-Operating-System: FreeBSD 4.4-RC X-Editor: VIM - Vi IMproved 6.0as BETA (http://www.vim.org/) X-Crypto: gpg (GnuPG) 1.0.6 (http://www.gnupg.org/) X-GPG-Key-ID: 0x6B191427 X-GPG-Fingerprint: C7FF A540 2199 F7BF 1933 5640 CD15 0FF3 6B19 1427 References: <999708032.3b96558062cd2@webmail.neomedia.it> <20010905204055.A268@athalon> <20010905215258.A4304@hades.hell.gr> <20010906005600.A4157@athalon> <20010905161408.A80303@xor.obsecurity.org> Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --l76fUT7nc3MelDdI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, 05 Sep 2001 at 16:14:08 -0700, Kris Kennaway wrote: > On Thu, Sep 06, 2001 at 12:56:00AM +0200, Piet Delport wrote: > > How insecure is it, for example, to have a small setuid script (with > > basic checks in place like overriding PATH to something > > conservative, etc.) that writable only by root, and owned by > > root:bar, with the intent that users in group bar can execute it? >=20 > I forget where I saw it, but there was a tutorial which went through > about a dozen ways to gain privilege using a setuid shell script on > OSes which allow it. It's just too easy. Did some web-digging (thanks Google!) and came up with the following: http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html http://www.softlab.ntua.gr/~taver/security/secur11.html Ouch. So besides numerous already-mentioned tricks for /bin/sh like making symlinks named `-i' and fooling around with the environment, the entire #! script interpreter system is vulnerable to a race condition where the script to be executed is swapped out from underneath the interpreter and replaced with malicious code, after privileges have been raised. Which blows out of the water the idea that even if /bin/sh was too vulnerable, other interpreters might be safe. Apparently the only exception to the above is perl (in the form of suidperl or something), which is even used in the base system (/usr/bin/keyinfo). I've also found the sudo package though, which seems to do achieve roughly what i'm trying here, without the risk of setuid scripts. Neat. So, next question, isn't it a good idea to mention this stuff in the execve(2) (and/or chmod(1)) manpages, to prevent future confusion by similar souls? Is this where i learn groff and join freebsd-doc? :) --=20 Piet Delport Today's subliminal thought is: --l76fUT7nc3MelDdI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7l1ntzRUP82sZFCcRAstRAJsEmEzbIQJNxcr+9t6MCCvgr0Oz7ACfdxGS zzvr0pkG0gHXLS1/M4XhZ5g= =+tx9 -----END PGP SIGNATURE----- --l76fUT7nc3MelDdI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message