From owner-freebsd-hackers@FreeBSD.ORG Thu Jul 23 16:16:16 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0284B106564A for ; Thu, 23 Jul 2009 16:16:16 +0000 (UTC) (envelope-from freebsd-hackers@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id B2F9F8FC26 for ; Thu, 23 Jul 2009 16:16:15 +0000 (UTC) (envelope-from freebsd-hackers@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1MU0xi-0008U3-AL for freebsd-hackers@freebsd.org; Thu, 23 Jul 2009 16:16:06 +0000 Received: from lara.cc.fer.hr ([161.53.72.113]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 23 Jul 2009 16:16:06 +0000 Received: from ivoras by lara.cc.fer.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 23 Jul 2009 16:16:06 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-hackers@freebsd.org From: Ivan Voras Date: Thu, 23 Jul 2009 18:15:57 +0200 Lines: 33 Message-ID: References: <19939654343.20090722214221@mail.ru> <4A6795E7.7020700@darkbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lara.cc.fer.hr User-Agent: Thunderbird 2.0.0.21 (X11/20090615) In-Reply-To: <4A6795E7.7020700@darkbsd.org> Sender: news Subject: Re: SGID/SUID on scripts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 16:16:16 -0000 DarkSoul wrote: > Anthony Pankov wrote: >> SGID/SUID bits don't work with shell scripts, do they? >> >> And no mention in chmod(1,2) manual. > > They don't. > > One reason for this, is that if they were applied, the following would > occur : > - execve() syscall reads your script's shebang line, and the script > interpreter is executed, receiving the specified arguments along with > the script name. > - The interpreter then open()s the script file to read it, and run the code. > > The problem you then are faced with, is that you have a time frame > defined by the moment between the aforementioned execve() and open(), > during which it could be possible to unlink/move/whatever the shell > script the interpreter is going to open. > > You guess where this is going, you have no absolute way of guaranteeing > you are executing the file you initially planned on opening because > execution/opening/reading is not, and can't be done atomically for shell > scripts. Hmm... Presumingly, the biggest concern is with scripts owned by root. Who can unlink, move or change the script? The owner and his group can change it; the directory owner can unlink it. It looks like the targetted problem is if a root creates a script in a user-owned directory and then makes it suid. It looks more like a PEBKAC then a system problem - is it really so serious there is no sysctl to disable the check?