Date: Sun, 10 Feb 2008 19:16:15 +0200 From: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> To: freebsd-questions@freebsd.org Subject: Re: /usr/local/etc/rc.d/ scripts and non-root user Message-ID: <200802101916.15428.jonathan%2Bfreebsd-questions@hst.org.za> In-Reply-To: <47AEC051.5050808@infracaninophile.co.uk> References: <20080210.033421.6825.0@webmail09.dca.untd.com> <47AEC051.5050808@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 10 February 2008 11:13, Matthew Seaman wrote: > gs_stoller@juno.com wrote: > > On Wed, 06 Feb 2008, Alex Zbyslaw wrote > > SNIP > > > >> Setuid/gid bits on shell scripts aren't considered safe, however and may > >> even be disabled. > > > > THERE IS NO REASON FOR THIS, JUST USE THE FILE-SYSTEM TO PROTECT THE > > FILES (MAKE THEM NOT WRITEABLE). Scripts are no more susceptible to > > sabotage and misuse than binary files, it is just that scripts can be > > more easily decoded and understood than binary files, and so > > management (that usually doesn't know much about a computer system) > > becomes frightened and issues orders to relieve their stress. > > There's no particular reason that setuid bits on scripts are dangerous > nowadays. However in the dim and distant past (before the millenium) > there used to be a race condition on opening files that meant it was > trivial to use a setuid script to get a shell running under the target > UID. The horror of this situation seems to have branded itself so deeply > on the Unix psyche that even now, when that race condition has been > eliminated for many years, there is still a lingering reflex response: > "setuid scripts bad." Specifically, the system would open the script to read the #! line and find out what interpreter to run, close the script and tell the specified interpreter to re-open it. If an attacker could change the file between the close and the re-open, you would end up running the attacker's script. I believe the fix was to hand the required interpreter an open file descriptor rather than a filename. Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802101916.15428.jonathan%2Bfreebsd-questions>