From owner-freebsd-questions@FreeBSD.ORG Sun Feb 10 17:16:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A57316A418 for ; Sun, 10 Feb 2008 17:16:01 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id 9E2D013C45E for ; Sun, 10 Feb 2008 17:15:59 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from [10.1.11.1] ([10.1.11.1]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id m1AH8Xi9067827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 10 Feb 2008 19:08:33 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown To: freebsd-questions@freebsd.org Date: Sun, 10 Feb 2008 19:16:15 +0200 User-Agent: KMail/1.9.4 References: <20080210.033421.6825.0@webmail09.dca.untd.com> <47AEC051.5050808@infracaninophile.co.uk> In-Reply-To: <47AEC051.5050808@infracaninophile.co.uk> X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Spam-Score: -4.354 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Subject: Re: /usr/local/etc/rc.d/ scripts and non-root user X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2008 17:16:01 -0000 On Sunday 10 February 2008 11:13, Matthew Seaman wrote: > gs_stoller@juno.com wrote: > > On Wed, 06 Feb 2008, Alex Zbyslaw wrote > > SNIP > > > >> Setuid/gid bits on shell scripts aren't considered safe, however and may > >> even be disabled. > > > > THERE IS NO REASON FOR THIS, JUST USE THE FILE-SYSTEM TO PROTECT THE > > FILES (MAKE THEM NOT WRITEABLE). Scripts are no more susceptible to > > sabotage and misuse than binary files, it is just that scripts can be > > more easily decoded and understood than binary files, and so > > management (that usually doesn't know much about a computer system) > > becomes frightened and issues orders to relieve their stress. > > There's no particular reason that setuid bits on scripts are dangerous > nowadays. However in the dim and distant past (before the millenium) > there used to be a race condition on opening files that meant it was > trivial to use a setuid script to get a shell running under the target > UID. The horror of this situation seems to have branded itself so deeply > on the Unix psyche that even now, when that race condition has been > eliminated for many years, there is still a lingering reflex response: > "setuid scripts bad." Specifically, the system would open the script to read the #! line and find out what interpreter to run, close the script and tell the specified interpreter to re-open it. If an attacker could change the file between the close and the re-open, you would end up running the attacker's script. I believe the fix was to hand the required interpreter an open file descriptor rather than a filename. Jonathan