Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Aug 2009 06:18:34 +0300
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        rwmaillists@googlemail.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: SUID permission on Bash script
Message-ID:  <8763c7gved.fsf@kobe.laptop>
In-Reply-To: <20090829022431.5841d4de@gumby.homeunix.com> (RW's message of "Sat, 29 Aug 2009 02:24:31 %2B0100")
References:  <beaf3aa50908280124pbd2c760v8d51eb4ae965dedc@mail.gmail.com> <87y6p4pbd0.fsf@kobe.laptop> <20090829022431.5841d4de@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 29 Aug 2009 02:24:31 +0100, RW <rwmaillists@googlemail.com> wrote:
>On Fri, 28 Aug 2009 11:54:19 +0300 Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
>>On Fri, 28 Aug 2009 09:24:35 +0100, Jeronimo Calvo <jeronimocalvop@googlemail.com> wrote:
>>> As far as i know, using SUID, script must runs with root
>>> permissions... so i shoudnt get "Permission denied", what im doing
>>> wrong??
>>
>> No it must not.  There are security reasons why shell scripts are not
>> setuid-capable.  You can find some of them in the archives of the
>> mailing list, going back at least until 1997.
>
> I'm bit puzzled by this, previous threads have given the impression
> that this is a myth, for example:
>
> http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185134.html
>
> So are scripts actually incapable of running setuid?

If you hack at the kernel it may still be possible to run a script with
setuid or setgid permissions.  IMO there is still the possibility for
many things to go wrong, especially with "quick and dirty" scripts.

For example, what do you think will happen if a setuid script forgets to
properly quote filenames in commands like:

    foo=$1
    pidfile=/tmp/$foo.pid
    echo $$ > $pidfile

    # cleanup my pidfile
    truncate -s $pidfile

and then I run the script with:

    setuid.sh " /etc/master.passwd /tmp/foo"

If you guessed that the pid value was not saved anywhere, that because
of the lack of error checking nobody noticed, and that the final
truncate command may have just wiped your `master.passwd' file your
guess is probably right.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8763c7gved.fsf>