Date: Tue, 25 Feb 1997 12:15:42 +0800 From: Peter Wemm <peter@spinner.DIALix.COM> To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) Cc: jehamby@lightside.com (Jake Hamby), abelits@phobos.illtel.denver.co.us, angio@aros.net, hackers@freebsd.org, auditors@freebsd.org Subject: Re: disallow setuid root shells? Message-ID: <199702250415.MAA23422@spinner.DIALix.COM> In-Reply-To: Your message of "Tue, 25 Feb 1997 00:51:45 %2B0100." <Mutt.19970225005145.j@uriah.heep.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
J Wunsch wrote: > As Jake Hamby wrote: > > > My sentiments exactly! I would think that if there was a valid > > reason for setuid root shells, then a commercial OS like Solaris > > would probably allow them (since paying customers often would rather > > have functionality than security!). > > You think that's the reason why Solaris indeed allows it? :-) They are reasonably secure on solaris when the script writer knows what they are doing. Solaris uses /dev/fd/xxx when running setuid interpreted scripts, so it's not vulnerable to symlink races etc. The -p on /bin/sh is to use /etc/suid_profile rather than ~/.profile and to allow suid execution to continue. ksh doesn't require -p to be specified, it detects uid != euid and turns it on automatically. It has the same effect as -p in /bin/sh. In ksh however, you can turn off the 'p' option and ksh will revoke it's setuid right then. The way secure execution works is that the kernel opens the file in the process's context, so it's available on (eg) /dev/fd/3. It then checks the suid/etc stuff. If all is ok, it runs "/bin/sh /dev/fd/3 <args>". The race is solved, but $0 looks a bit strange to the script because the shell doesn't know the real name of the script. All that's required then for a reasonably secure script is explicitly setting IFS on the first line of the script, and extreme caution. > -- > cheers, J"org > > joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE > Never trust an operating system you don't have sources for. ;-) Cheers, -Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702250415.MAA23422>