From owner-freebsd-questions@FreeBSD.ORG Sat Aug 29 18:22:19 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 072221065674 for ; Sat, 29 Aug 2009 18:22:19 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 966658FC19 for ; Sat, 29 Aug 2009 18:22:17 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n7TIM4bl002386; Sat, 29 Aug 2009 19:22:10 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n7TIM4bl002386 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1251570131; bh=yY9cSPMRTuPcFGzfdvXG0UBhAOi4fzlKsF6N7a+PN0w=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4A9971C5.1080308@infracaninophile.co.uk>|Date:=20S at,=2029=20Aug=202009=2019:21:57=20+0100|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers ion:=201.0|To:=20RW=20|CC:=20freebsd-q uestions@freebsd.org|Subject:=20Re:=20SUID=20permission=20on=20Bas h=20script|References:=20=09<87y6p4pbd0.fsf@kobe.laptop>=09<200908290224 31.5841d4de@gumby.homeunix.com>=09<4A98A8A1.7070305@prgmr.com>=09< 4a98d375.W9fcoTOIN1DqRk/3%perryh@pluto.rain.com>=20<20090829134436 .4461d8c9@gumby.homeunix.com>|In-Reply-To:=20<20090829134436.4461d 8c9@gumby.homeunix.com>|X-Enigmail-Version:=200.95.6|Content-Type: =20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3 D"application/pgp-signature"=3B=0D=0A=20boundary=3D"------------en igE4AF1D4B9A72E543D1387278"; b=2i9J+L23dxCy/tWHU+ZnpYZ0p7CXMOk0e+fbZzy9idnekv+9ALbuyVbJVR4LkQHv2 rOx8hcMlfIborsQ7OsgWc+LTdyuig390tHG5NmhaEfx5pxX/6YbQZgh2vQVT+I4L/p I0XMBeRFAfWnMECWttUOyTEHEpCroysyljcR9qIo= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4A9971C5.1080308@infracaninophile.co.uk> Date: Sat, 29 Aug 2009 19:21:57 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20090823) MIME-Version: 1.0 To: RW References: <87y6p4pbd0.fsf@kobe.laptop> <20090829022431.5841d4de@gumby.homeunix.com> <4A98A8A1.7070305@prgmr.com> <4a98d375.W9fcoTOIN1DqRk/3%perryh@pluto.rain.com> <20090829134436.4461d8c9@gumby.homeunix.com> In-Reply-To: <20090829134436.4461d8c9@gumby.homeunix.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigE4AF1D4B9A72E543D1387278" X-Virus-Scanned: clamav-milter 0.95.2 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: SUID permission on Bash script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2009 18:22:19 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE4AF1D4B9A72E543D1387278 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable RW wrote: > On Sat, 29 Aug 2009 00:06:29 -0700 > perryh@pluto.rain.com wrote: >=20 >> Michael David Crawford wrote: >>> It's not that setuid shell scripts are really more >>> inherently insecure than programs written in C. >> Actually, absent some careful cooperation between the kernel >> and the interpreter to prevent a race condition that can cause >> the interpreter to run (with elevated permissions) a completely >> different script than the one that was marked setuid, setuid >> scripts _are_ insecure in a way that _cannot_ be fixed by any >> degree of care that might be taken in the writing of the script. >> >> Check the hackers@ archives. It was discussed a little over a >> month ago. >=20 > But is isn't that the same issue that Matthew Seaman was saying was > fixed years ago (in the link I gave before), and is described in the > follow-up: >=20 > http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.htm= l >=20 > That's entirely in the kernel, it doesn't require interpreter support. The race condition between the kernel opening the script and the interpre= ter doing so should certainly be fixed in any Unix or Linux distribution avai= lable today. Either, as above, by the kernel passing an open file descriptor t= o the invoked script, or simply by ignoring any setuid or setgid bits on interp= reted scripts. There are other attacks against SUID scripts -- see for instance: http://www.tech-faq.com/suid-root-script-binary.shtml http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html most of which work by exploiting the sort of features of the scripting language that make it into a powerful and useful tool. Almost all of the= se sort of exploits can be avoided by careful programming -- for instance, always explicitly setting $IFS and $PATH to known good values, or using t= he one set of command line flags allowed on the #! line to block the '-i' t= rick (ie. use '#!/bin/sh --' which forces any subsequent items on the command line to be treated as files rather than command options). However, you (the programmer) would have to know all about the various tricks for=20 exploiting suid-ness in order to counter them. The preferred way of running a script SUID is to write a very small C=20 wrapper program that can be made SUID and that executes the script after gaining increased privileges. Done well, this is definitely the best and= most secure approach. Note however that the C wrapper must be similarly as carefully written as a suid script or many of the same exploits could sti= ll be possible. So, unless you are an expert programmer and understand how to defend your= code against attack, your best bet really is to just use sudo(8). Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigE4AF1D4B9A72E543D1387278 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkqZccwACgkQ8Mjk52CukIyuCwCffQyeElJCo7vO182PVgpRThK9 9JIAn0c4bk80fjSiJqHWvBeZHopZBXvc =fZw1 -----END PGP SIGNATURE----- --------------enigE4AF1D4B9A72E543D1387278--