From owner-freebsd-hackers@FreeBSD.ORG  Thu Apr  6 10:51:38 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 766FB16A400
	for <freebsd-hackers@freebsd.org>; Thu,  6 Apr 2006 10:51:38 +0000 (UTC)
	(envelope-from cv@io.ru)
Received: from inc.ru (mail6.net.incru.net [62.205.161.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D4B5143D46
	for <freebsd-hackers@freebsd.org>; Thu,  6 Apr 2006 10:51:36 +0000 (GMT)
	(envelope-from cv@io.ru)
Received: from [62.205.161.39] (account cv@io.ru)
	by inc.ru (CommuniGate Pro WebUser 4.1.8)
	with HTTP id 5272059; Thu, 06 Apr 2006 14:49:25 +0400
From: "Sply Splyeff" <lists@sply.org>
To: Peter Jeremy <peterjeremy@optushome.com.au>,cv@io.ru
X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8
Date: Thu, 06 Apr 2006 14:49:25 +0400
Message-ID: <web-5272059@inc.ru>
In-Reply-To: <redirect-1461310@inc.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset="KOI8-R"
Content-Transfer-Encoding: 8bit
Cc: freebsd-hackers@freebsd.org
Subject: Re: setuid scripts wrapper (RFC, proposal)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2006 10:51:38 -0000

> The biggest problem is its failure to check the sanity of the input
> parameters - that a particular argument actually exists before
> referencing it.

Do you mean that evil Bob can substitue Alice's script between stat() and execve() calls?
Yes, I've missed this point.

We can use realpath and check if all nodes are writable only by file owner or by root.
Yes, that's a big limitation, but in most common tasks it would be acceptable. And it
saves from race conditions, am I right?

And there are another ways but more slowly or complex - own sub-wrapper for each
interpreter with passes script as file descriptor as you wrote at beginning; hardlink or
copy files to safe directory; fork child and ptrace him for watching if the files it
opens are really the same. Too confusing.

But if the first way is ok, maybe it'sbetter to stay on it.

> Other issues I noticed:
> - strncpy() is virtually always the wrong function.  You already do
>   validation so you could just use strcpy()
ok. i've replace to memcpy as len is already known

> - strncpy(penvd + penvsz, "=", 1);  could be penvd[penvsz] = '=';
sure, it was done only for hold in one style all string operations

> - No error if number of environment variables too great.
fixed