From owner-freebsd-hackers@FreeBSD.ORG  Thu Apr  6 19:27:57 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D5D6316A939
	for <freebsd-hackers@freebsd.org>; Thu,  6 Apr 2006 19:27:57 +0000 (UTC)
	(envelope-from peterjeremy@optushome.com.au)
Received: from mail22.syd.optusnet.com.au (mail22.syd.optusnet.com.au
	[211.29.133.160])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0384446493
	for <freebsd-hackers@freebsd.org>; Thu,  6 Apr 2006 19:00:17 +0000 (GMT)
	(envelope-from peterjeremy@optushome.com.au)
Received: from turion.vk2pj.dyndns.org
	(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
	by mail22.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
	k36J07Ek029747
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Fri, 7 Apr 2006 05:00:09 +1000
Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by turion.vk2pj.dyndns.org (8.13.4/8.13.4) with ESMTP id k36J06vP002761;
	Fri, 7 Apr 2006 05:00:06 +1000 (EST)
	(envelope-from peter@turion.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by turion.vk2pj.dyndns.org (8.13.4/8.13.4/Submit) id k36J04MI002760;
	Fri, 7 Apr 2006 05:00:04 +1000 (EST) (envelope-from peter)
Date: Fri, 7 Apr 2006 05:00:04 +1000
From: Peter Jeremy <peterjeremy@optushome.com.au>
To: Sply Splyeff <lists@sply.org>
Message-ID: <20060406190004.GD700@turion.vk2pj.dyndns.org>
References: <redirect-1461310@inc.ru> <web-5272059@inc.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <web-5272059@inc.ru>
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
User-Agent: Mutt/1.5.11
Cc: freebsd-hackers@freebsd.org, cv@io.ru
Subject: Re: setuid scripts wrapper (RFC, proposal)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2006 19:28:00 -0000

On Thu, 2006-Apr-06 14:49:25 +0400, Sply Splyeff wrote:
>> The biggest problem is its failure to check the sanity of the input
>> parameters - that a particular argument actually exists before
>> referencing it.
>
>Do you mean that evil Bob can substitue Alice's script between stat() and execve() calls?
>Yes, I've missed this point.

Actually Bob can replace the script anytime between the initial statfs() call
in your script and the interpreter opening the script sometime after the
execve() call.  You should be able to get around this by opening the script
first, using fstatfs() and fstat() and passing the script as /dev/fd/N to
the interpreter.

What I was actually referring to was your use of argv[1], argv[2], argv[3]
and argv[4] without checking argc or otherwise validating them.

-- 
Peter Jeremy