Date: Mon, 4 Aug 1997 15:07:36 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: Atipa <freebsd@atipa.com> Cc: "Jonathan A. Zdziarski" <jonz@netrail.net>, ports@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: SetUID Message-ID: <Pine.BSF.3.95.970804150403.27439W-100000@alive.znep.com> In-Reply-To: <Pine.BSF.3.91.970804145336.11294A-100000@dot.ishiboo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 4 Aug 1997, Atipa wrote:
>
>
> On Mon, 4 Aug 1997, Marc Slemko wrote:
>
> > You could. If you did, however, you would be silly.
> >
> > The wrapper you give allows anyone who can run it to do anything they want
> > as the uid it is setuid to.
>
> If you allow the shell script to be modified, yes. Otherwise, I can not
> see how they could use the wrapper to execute anything but the script
> hard coded therein. Am I being naive?
>
> Set the permissions to 750, chown root.<special group>
> And make sure the shell script is non world or group writable.
>
> What's the vulnerablility?
You are being very naive. You can do an awful lot with environment
variables. What would happen if you set ENV before running your wrapper?
/bin/sh would see it and execute whatever is in the file it points to.
What if you set one of a couple of LD_* environment variables? The loader
would see them and use whatever they point to.
Net result: people who can run it can do whatever they want as the user it
is setuid to.
Not passing in the external environment is a good first step to making it
secure.
>
> Kevin
>
> > > > -- cut here (wrapper.c) --
> > >
> > > #include <stdlib.h>
> > > main()
> > > {
> > > execl("/etc/rc.WHATEVER","WHATEVER",NULL);
> > > }
> > >
> > > -- end--
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970804150403.27439W-100000>