From owner-freebsd-hackers@FreeBSD.ORG Thu Jul 23 08:18:04 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4412106566B for ; Thu, 23 Jul 2009 08:18:04 +0000 (UTC) (envelope-from j.mckeown@ru.ac.za) Received: from a.mail.ru.ac.za (a.mail.ru.ac.za [IPv6:2001:4200:1010::25:1]) by mx1.freebsd.org (Postfix) with ESMTP id F12728FC17 for ; Thu, 23 Jul 2009 08:18:03 +0000 (UTC) (envelope-from j.mckeown@ru.ac.za) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ru-msa; d=ru.ac.za; h=Received:From:Organization:To:Subject:Date:User-Agent:References:In-Reply-To:X-Face:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-Disposition:Message-Id:X-Virus-Scanned:X-Authenticated-User; b=EQPnfh1q4FfWmeTz2/FiFs0SxyC9ZqRyS+1La3DVa25lclaGjkIDjBeenBQ/ymNFFiV/+uvNAd7dvWD2LDmM4BUYOFq7P6ClbShsSiSDJyYSpOHSNJ2qYz2SNElTVx2X; Received: from vorkosigan.ru.ac.za ([2001:4200:1010:1058:219:d1ff:fe9f:a932]:61551) by a.mail.ru.ac.za with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MTtV4-000OZr-8Q for freebsd-hackers@freebsd.org; Thu, 23 Jul 2009 10:18:02 +0200 From: Jonathan McKeown Organization: Rhodes University To: freebsd-hackers@freebsd.org Date: Thu, 23 Jul 2009 10:18:01 +0200 User-Agent: KMail/1.9.10 References: <19939654343.20090722214221@mail.ru> <4A6795E7.7020700@darkbsd.org> <4a67ee8a.wIGNpBr1/a3vNK2S%perryh@pluto.rain.com> In-Reply-To: <4a67ee8a.wIGNpBr1/a3vNK2S%perryh@pluto.rain.com> X-Face: $@VrUx^RHy/}yu]jKf/<4T%/d|F+$j-Ol2"2J$q+%OK1]&/G_S9(=?utf-8?q?HkaQ*=60!=3FYOK=3FY!=27M=60C=0A=09aP=5C9nVPF8Q=7DCilHH8l=3B=7E!4?= =?utf-8?q?2HK6=273lg4J=7Daz?=@1Dqqh:J]M^"YPn*2IWrZON$1+G?oX3@ =?utf-8?q?k=230=0A=0954XDRg=3DYn=5FF-etwot4U=24b?=dTS{i X-Virus-Scanned: a.mail.ru.ac.za (2001:4200:1010::25:1) X-Authenticated-User: s0900137 from vorkosigan.ru.ac.za (2001:4200:1010:1058:219:d1ff:fe9f:a932) using auth_plaintext Subject: Re: SGID/SUID on scripts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 08:18:05 -0000 On Thursday 23 July 2009 07:00:58 perryh@pluto.rain.com wrote: > DarkSoul wrote: > > Anthony Pankov wrote: > > > SGID/SUID bits don't work with shell scripts, do they? > > > > They don't. [snip description of race condition] > In principle, it should be possible to fix this exposure by > improving the interface between execve() and the interpreter: > > The execve() syscall already has the script file open to read the > shebang line. Leave it open, and ensure that the interpreter > receives the open descriptor as fd#3 just as 0, 1, and 2 are already > used for stdin, stdout, and stderr. An interpreter supporting this > approach would check whether stdscr (fd#3) is already open, and if > so read from it instead of open()ing the script file. This should > ensure that the script which gets executed is the same inode on > which execve() saw the SGID/SUID bits set, even if the filesystem > has been changed by the time the interpreter has gotten started. > It would be the responsibility of whomever decided to set the > SGID/SUID bits on a particular script to ensure that the interpreter > involved supports the mechanism. > > I vaguely recall having seen a similar (or even identical) approach > suggested some years ago. It may even have been implemented in some > variant of Un*x. It's mentioned in the perlsec page of perl's documentation (installed as a manpage on FreeBSD), under Security Bugs, which describes the race condition, and the same fix (keeping the script open and passing /dev/fd/3 rather than closing it and passing the filename). It goes on to say: > Most modern releases of SysVr4 and BSD 4.4 use this approach to avoid the > kernel race condition. Although it would appear not to apply to FreeBSD. Jonathan