From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 24 15:11:40 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 509C6106566B for ; Fri, 24 Jul 2009 15:11:40 +0000 (UTC) (envelope-from lgusenet@be-well.ilk.org) Received: from mail3.sea5.speakeasy.net (mail3.sea5.speakeasy.net [69.17.117.5]) by mx1.freebsd.org (Postfix) with ESMTP id 281318FC29 for ; Fri, 24 Jul 2009 15:11:40 +0000 (UTC) (envelope-from lgusenet@be-well.ilk.org) Received: (qmail 1983 invoked from network); 24 Jul 2009 15:11:39 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail3.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 24 Jul 2009 15:11:39 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id A395350822; Fri, 24 Jul 2009 11:11:38 -0400 (EDT) To: Jonathan McKeown References: <19939654343.20090722214221@mail.ru> <4a67ee8a.wIGNpBr1/a3vNK2S%perryh@pluto.rain.com> <44my6v8d97.fsf@be-well.ilk.org> <200907240902.09609.j.mckeown@ru.ac.za> From: Lowell Gilbert Date: Fri, 24 Jul 2009 11:11:38 -0400 In-Reply-To: <200907240902.09609.j.mckeown@ru.ac.za> (Jonathan McKeown's message of "Fri\, 24 Jul 2009 09\:02\:09 +0200") Message-ID: <44zlau6rpx.fsf@be-well.ilk.org> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Fri, 24 Jul 2009 17:41:39 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: SGID/SUID on scripts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-hackers@freebsd.org List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2009 15:11:40 -0000 Jonathan McKeown writes: > On Thursday 23 July 2009 20:28:52 Lowell Gilbert wrote: >> That's clever, but how would it work in practice, while common shells >> and scripting languages may not implement their side of it? > > http://www.in-ulm.de/~mascheck/various/shebang/ claims that it's been > implemented, in exactly the way described, in Solaris, OpenBSD and NetBSD > (albeit as a kernel compile-time option in the latter two). (It's apparently > also in IRIX and UnixWare). > > Given OpenBSD's admirable paranoia about security (hey, I'm a sysadmin: I > never ask myself if I'm being paranoid, but if I'm being paranoid enough!) > I'd have thought they would have explored the implications fully. They don't enable it by default, and they don't seem to recommend it. > Certainly other stuff knows about it. As I said yesterday, Perl describes the > problem in its perlsec manpage/perldoc. The perl interpreter even has a > build-time option, SETUID_SCRIPTS_ARE_SECURE_NOW - and the correct setting is > supposedly detected as part of configure. The problem I'm wondering about is that it doesn't matter what knows about it as long as there's an interpreter that *doesn't*. Anything that opens a script parameter on its own (there are other vulnerable approaches, but one's enough) will be insecure. I may well be missing something, of course. > There may well be some problems to overcome, but this doesn't appear to be > unexplored territory. Not entirely, but there may well be a reason it's never been in common use. - Lowell