From owner-freebsd-chat Wed Sep 5 16:14:14 2001 Delivered-To: freebsd-chat@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 7F9E937B407 for ; Wed, 5 Sep 2001 16:14:09 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9FD2A66D0A; Wed, 5 Sep 2001 16:14:08 -0700 (PDT) Date: Wed, 5 Sep 2001 16:14:08 -0700 From: Kris Kennaway To: Piet Delport Cc: Giorgos Keramidas , freebsd-chat@FreeBSD.ORG Subject: Re: Scripts and setuid Message-ID: <20010905161408.A80303@xor.obsecurity.org> References: <999708032.3b96558062cd2@webmail.neomedia.it> <20010905204055.A268@athalon> <20010905215258.A4304@hades.hell.gr> <20010906005600.A4157@athalon> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010906005600.A4157@athalon>; from siberiyan@mweb.co.za on Thu, Sep 06, 2001 at 12:56:00AM +0200 Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 06, 2001 at 12:56:00AM +0200, Piet Delport wrote: > > It is very easy to set up the environment of the parent process and > > execute a script with certain things in the environment that will > > cheat and have the script execute code with elevated priviledges. >=20 > True, but isn't the same thing generally true for non-script executables > as well? No. > How insecure is it, for example, to have a small setuid script (with > basic checks in place like overriding PATH to something conservative, > etc.) that writable only by root, and owned by root:bar, with the intent > that users in group bar can execute it? I forget where I saw it, but there was a tutorial which went through about a dozen ways to gain privilege using a setuid shell script on OSes which allow it. It's just too easy. > I'm very probably missing something important (if so, please enlighten > me), but how is the the above much worse than having a similar setuid > binary doing the same? Setuid binaries ignore all dangerous environment variables and so (modulo implementation bugs) can't be controlled by the attacker to gain privilege. Setuid shell scripts don't. Kris --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lrHAWry0BWjoQKURArrUAJ49rv81QA+tU1abJu9cR4TXm3UZkgCeJfcm CEDVxB07H4MPWSIZF7PjuNQ= =hmT4 -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message