Date: Sun, 23 Feb 1997 21:49:08 -0800 From: jehamby@lightside.com (Jake Hamby) To: hackers@freebsd.org Subject: disallow setuid root shells? Message-ID: <199702240549.VAA01306@lightside.com>
next in thread | raw e-mail | index | archive | help
In light of the recent security review, here's something that I've wondered
about ever since I noticed it. Often, after hacking the root account, a
malicious user will hide a setuid-root shell as a back door to allow future
access. Under Solaris, I've discovered that none of the standard shells
will allow a user to gain root privileges through a setuid root shell!
The sh and ksh shells will run, but the user will have their normal
privileges. Csh (and interestingly enough tcsh) print "Permission denied"
and exit when run with the setuid bit set.
Curiously, when I made a setuid shell owned by nobody, the sh command worked
(and gave me, as a normal user, nobody's permissions), while the csh command
still printed "Permission denied." I theorize that csh tries to gain
control of the user's terminal (for job control purposes), but can't do it
while assuming another user's UID.
Since I don't have Solaris source code, I'm not sure exactly what these
shells are doing, but I imagine a simple:
if(geteuid()==0) { /* If this is a setuid-root shell */
setuid(getuid()); /* then silently restore user's permissions
* to prevent security backdoor
*/
}
near the beginning of the program would suffice. I don't claim that this
will do anything to thwart the knowledgable hacker, but anything to make the
system more secure, especially against novice hackers who just found out
about the latest bug-of-the-week, would make FreeBSD a more secure system.
After all, although a setuid shell owned by a regular user might be useful
(though I wouldn't recommend it), it's obvious that a setuid-root shell
would be too much of a security risk to be allowable under any
circumstances. Comments?
While we're on the topic, I've always wondered about Perl 5's configure
messages about "secure setuid scripts". What exactly makes an OS capable of
hosting "secure" Perl or shell scripts, and what does this have to do with
the /dev/fd directory (that Perl searches for)?
-- Jake
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702240549.VAA01306>