From owner-freebsd-questions@FreeBSD.ORG Fri May 13 08:32:54 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD565106566B for ; Fri, 13 May 2011 08:32:54 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 57D618FC12 for ; Fri, 13 May 2011 08:32:53 +0000 (UTC) Received: by wwk4 with SMTP id 4so408271wwk.1 for ; Fri, 13 May 2011 01:32:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=fU/+JxO9TB4XvKbaFHyn+svwxCjuMyIhGdMcH0zT8/U=; b=RkWsffbxwVwZKdvvBGgq9hrZrKlRZoW9wT3Zku7y8mx9ALpKQBJZho9kZr1mFDtj2Q 39uCvH3lCJuuGQxiFF9fTzFka95+16fku5VAOWsYERQzbwGM2XZio0c54w5eKNC1aw2z TpGzCJW8KiJ7Lrvo3tROaHO2G7mcHZoCuv75I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=smurXDSQT4v+eS9h1tLG8bDmZzr9YnMIQSr7aYzOtMuLvEnHBMf0Tpq3h8SS93LkdP h/fM7xFl77XceBV6GkcfJ7zuFCvCnnxgD0CuxqoACQnC9DheTPeVTGFInRLcP6w5F8ix 1DcFon1Xr9/q45VteHoNrD7d7sHBKuaPFSDYI= MIME-Version: 1.0 Received: by 10.216.145.195 with SMTP id p45mr1084269wej.61.1305275573044; Fri, 13 May 2011 01:32:53 -0700 (PDT) Received: by 10.216.90.145 with HTTP; Fri, 13 May 2011 01:32:52 -0700 (PDT) In-Reply-To: <201105130932.32144.j.mckeown@ru.ac.za> References: <4DC9DE2C.6070605@telting.org> <201105121657.57647.j.mckeown@ru.ac.za> <4DCBFC39.8060900@telting.org> <201105130932.32144.j.mckeown@ru.ac.za> Date: Fri, 13 May 2011 09:32:52 +0100 Message-ID: From: krad To: ml@telting.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Chris Telting , freebsd-questions@freebsd.org Subject: Re: Established method to enable suid scripts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2011 08:32:54 -0000 On 13 May 2011 08:32, Jonathan McKeown wrote: > On Thursday 12 May 2011 17:26:49 Chris Telting wrote: > > On 05/12/2011 07:57, Jonathan McKeown wrote: > > > > > > I'll say that again. It is inherently insecure to run an interpreted > > > program set-uid, because the filename is opened twice and there's no > > > guarantee that someone hasn't changed the contents of the file > addressed > > > by that name between the first and second open. > > > > > > It's one thing to tell people they need to be careful with suid because > > > it has security implications. Deliberately introducing a well-known > > > security hole into the system would in my view be dangerous and wrong. > > > > That race condition bug was fixed in ancient times. Before Freebsd or > > Linux ever existed I believe. It's a meme that just won't die. People > > accepted mediocrity in old commercial versions of Unix. I personally am > > unsatisfied by kludges. > > That seems somewhat unlikely given, as someone else pointed out upthread, > that > Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, > suggesting that they often aren't. Yes, there are ways to avoid this race > condition - the usual one is to pass a handle on the open file to the > interpreter, rather than closing it and reopening it. > > This fix is not present in every Unix or Unix-like OS. In particular > (although > I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the > best of my knowledge. Whether there's a reason for that other than lack of > developer time I don't know. > > Jonathan > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method.