From owner-freebsd-hackers@FreeBSD.ORG  Wed Apr  5 20:31:43 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 64B8916A425
	for <freebsd-hackers@freebsd.org>; Wed,  5 Apr 2006 20:31:43 +0000 (UTC)
	(envelope-from cv@io.ru)
Received: from inc.ru (srv8-5.net.incru.net [62.205.161.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8ADCD43D67
	for <freebsd-hackers@freebsd.org>; Wed,  5 Apr 2006 20:31:38 +0000 (GMT)
	(envelope-from cv@io.ru)
Received: from [62.205.161.39] (account cv@io.ru)
	by inc.ru (CommuniGate Pro WebUser 4.1.8)
	with HTTP id 5266040 for freebsd-hackers@freebsd.org;
	Thu, 06 Apr 2006 00:29:27 +0400
From: "Sply Splyeff" <lists@sply.org>
To: freebsd-hackers@freebsd.org
X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8
Date: Thu, 06 Apr 2006 00:29:27 +0400
Message-ID: <web-5266040@inc.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="KOI8-R"
Content-Transfer-Encoding: 8bit
Subject: setuid scripts wrapper (RFC, proposal)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2006 20:31:43 -0000

There are some security problems with kernel-level script
setuid execution which discourage from using it. The standard
recommendation is to write a binary setuid wrapper for
each script needed. But maybe it's better to use one simple,
well reviewed and verified setuid wrapper for all common tasks?
And to use it in the distribution or at least, as a package.

I've tried to set up the stanard wrapper for our systems
which does following:
- verifies if scipt's file system allowed to run setuid
scrits
- clears all environment variables, or pass only desired,
or set to values from hash-line in the script
- closes all file descriptros > 2 if -c options is set
- checks if script file is write permission for anyone

http://suidscript.sply.org/suidscript/suidscript.c
http://suidscript.sply.org/suidscript/suidscriptperl
http://suidscript.sply.org/suidscript/test_perl
http://suidscript.sply.org/

Is it strong enough? Maybe there is any slippery ground
left?