From owner-freebsd-hackers Mon Feb 24 15:05:36 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA26446 for hackers-outgoing; Mon, 24 Feb 1997 15:05:36 -0800 (PST) Received: from relay.nuxi.com (nuxi.ucdavis.edu [128.120.37.176]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA25648; Mon, 24 Feb 1997 14:51:39 -0800 (PST) Received: from dragon.nuxi.com (reqd-087.ucdavis.edu [128.120.251.207]) by relay.nuxi.com (8.8.4/8.6.12) with ESMTP id OAA28811; Mon, 24 Feb 1997 14:53:25 -0800 (PST) Received: (from obrien@localhost) by dragon.nuxi.com (8.8.5/8.7.3) id WAA27013; Mon, 24 Feb 1997 22:51:34 GMT Message-ID: <19970224145134.KZ55495@dragon.nuxi.com> Date: Mon, 24 Feb 1997 14:51:34 -0800 From: obrien@NUXI.com (David O'Brien) To: jehamby@lightside.com (Jake Hamby) Cc: hackers@freebsd.org, auditors@freebsd.org Subject: Re: disallow setuid root shells? References: <199702242038.MAA00577@lightside.com> X-Mailer: Mutt 0.60_p2-3,5,8-9 Mime-Version: 1.0 X-Disclaimer: Mutt Bites! Organization: The NUXI *BSD group X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: <199702242038.MAA00577@lightside.com>; from Jake Hamby on Feb 24, 1997 12:38:23 -0800 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Jake Hamby writes: > > My sentiments exactly! I would think that if there was a valid reason > for setuid root shells, then a commercial OS like Solaris would > probably allow them (since paying customers often would rather have > functionality than security!). Solaris *DOES* allow them: >From ``man sh'' on Solaris 2.5: -p If the -p flag is present, the shell will not set the effective user and group IDs to the real user and group IDs. So you just need to envoke a suid0 shell by ``sh -p''. Solaris's ksh does not have this restriction. foo:/tmp> ll *sh -r-sr-xr-x 1 root bin 159796 Oct 25 1995 csh* -r-sr-xr-x 1 root bin 180856 Oct 25 1995 ksh* -r-sr-xr-x 1 root root 87012 Oct 25 1995 sh* foo:/tmp> id uid=1765(obrien) gid=10(staff) foo:/tmp> ./sh $ id uid=1765(obrien) gid=10(staff) $ exit foo:/tmp> ./sh -p # id uid=1765(obrien) gid=10(staff) euid=0(root) # exit foo:/tmp> ./ksh # id uid=1765(obrien) gid=10(staff) euid=0(root) # exit foo:/tmp> ./csh csh: Permission denied > While of course this will only protect against the lamest of system crackers, > there really is no compelling reason NOT to do it, You are changing from what is expected under Unix. Solaris did this with requireing the ``-p'' option. Before people bothered to RTFM, many thought they were no longer vulnerable to suid0 sh shells. And then the truth was found.... -- -- David (obrien@NUXI.com -or- obrien@FreeBSD.org)