From owner-freebsd-hackers@FreeBSD.ORG  Thu Apr  6 09:26:41 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A2A0E16A420
	for <freebsd-hackers@freebsd.org>; Thu,  6 Apr 2006 09:26:41 +0000 (UTC)
	(envelope-from peterjeremy@optushome.com.au)
Received: from mail24.syd.optusnet.com.au (mail24.syd.optusnet.com.au
	[211.29.133.165])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8A0DD43D45
	for <freebsd-hackers@freebsd.org>; Thu,  6 Apr 2006 09:26:40 +0000 (GMT)
	(envelope-from peterjeremy@optushome.com.au)
Received: from turion.vk2pj.dyndns.org
	(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
	by mail24.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
	k369QY1r029947
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Thu, 6 Apr 2006 19:26:37 +1000
Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by turion.vk2pj.dyndns.org (8.13.4/8.13.4) with ESMTP id k369QX5i001161;
	Thu, 6 Apr 2006 19:26:33 +1000 (EST)
	(envelope-from peter@turion.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by turion.vk2pj.dyndns.org (8.13.4/8.13.4/Submit) id k369QSmg001160;
	Thu, 6 Apr 2006 19:26:28 +1000 (EST) (envelope-from peter)
Date: Thu, 6 Apr 2006 19:26:28 +1000
From: Peter Jeremy <peterjeremy@optushome.com.au>
To: Sply Splyeff <lists@sply.org>
Message-ID: <20060406092628.GC700@turion.vk2pj.dyndns.org>
References: <web-5266040@inc.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <web-5266040@inc.ru>
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
User-Agent: Mutt/1.5.11
Cc: freebsd-hackers@freebsd.org
Subject: Re: setuid scripts wrapper (RFC, proposal)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2006 09:26:41 -0000

On Thu, 2006-Apr-06 00:29:27 +0400, Sply Splyeff wrote:
>There are some security problems with kernel-level script
>setuid execution which discourage from using it.

The biggest problem is a race condition between the kernel setting up
the set[gu]id() environment and opening the script to find the
interpreter and the interpreter opening the script to execute it.
This can only be fixed withing the kernel (by passing the script to
the interpreter as a pre-opened FD).

>Is it strong enough? Maybe there is any slippery ground
>left?

The biggest problem is its failure to check the sanity of the input
parameters - that a particular argument actually exists before
referencing it.

Other issues I noticed:
- strncpy() is virtually always the wrong function.  You already do
  validation so you could just use strcpy()
- strncpy(penvd + penvsz, "=", 1);  could be penvd[penvsz] = '=';
- No error if number of environment variables too great.

-- 
Peter Jeremy