From owner-freebsd-security  Mon Aug  4 14:05:57 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id OAA27654
          for security-outgoing; Mon, 4 Aug 1997 14:05:57 -0700 (PDT)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA27648;
          Mon, 4 Aug 1997 14:05:55 -0700 (PDT)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.5/8.8.5) with UUCP id PAA18420;
	Mon, 4 Aug 1997 15:05:45 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id PAA29175; Mon, 4 Aug 1997 15:07:36 -0600 (MDT)
Date: Mon, 4 Aug 1997 15:07:36 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
To: Atipa <freebsd@atipa.com>
cc: "Jonathan A. Zdziarski" <jonz@netrail.net>, ports@FreeBSD.ORG,
        security@FreeBSD.ORG
Subject: Re: SetUID
In-Reply-To: <Pine.BSF.3.91.970804145336.11294A-100000@dot.ishiboo.com>
Message-ID: <Pine.BSF.3.95.970804150403.27439W-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 4 Aug 1997, Atipa wrote:

> 
> 
> On Mon, 4 Aug 1997, Marc Slemko wrote:
> 
> > You could.  If you did, however, you would be silly.  
> > 
> > The wrapper you give allows anyone who can run it to do anything they want
> > as the uid it is setuid to.
> 
> If you allow the shell script to be modified, yes. Otherwise, I can not 
> see how they could use the wrapper to execute anything but the script 
> hard coded therein. Am I being naive?
> 
> Set the permissions to 750, chown root.<special group>
> And make sure the shell script is non world or group writable.
> 
> What's the vulnerablility?

You are being very naive.  You can do an awful lot with environment
variables.  What would happen if you set ENV before running your wrapper? 
/bin/sh would see it and execute whatever is in the file it points to.
What if you set one of a couple of LD_* environment variables?  The loader
would see them and use whatever they point to. 

Net result: people who can run it can do whatever they want as the user it
is setuid to.

Not passing in the external environment is a good first step to making it
secure.

> 
> Kevin
> 
> > > > -- cut here (wrapper.c) --
> > > 
> > > #include <stdlib.h>
> > > main()
> > > {
> > >         execl("/etc/rc.WHATEVER","WHATEVER",NULL);
> > > }
> > > 
> > > -- end--
>