Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 20 Feb 2016 09:42:08 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: minimize use of root account
Message-ID:  <56C834F0.4020000@FreeBSD.org>
In-Reply-To: <20160219221111.5ead3364.freebsd@edvax.de>
References:  <CACo--mv9qU2ZwtTuZRQBpioEr+enT=sd-SJ79BFumZt5aL18jg@mail.gmail.com> <20160219120503.fc97ef10.freebsd@edvax.de> <56C72C45.2050606@qeng-ho.org> <20160219221111.5ead3364.freebsd@edvax.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--NJXje4fi2mPL8r1Lh8bbUGvfuOT8jHnbK
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 19/02/2016 21:11, Polytropon wrote:
>> I thought suid scripts were disabled years ago because they were a maj=
or=20
>> > security loophole?

> You're right - it's the case.
>=20
> % ll root_test.sh=20
> -rwsr-sr-x  1 poly  poly  24 2016-02-19 19:25:20 root_test.sh*
>=20
> % cat root_test.sh
> #!/bin/sh
> id -u
> whoami
>=20
> % ./root_test.sh
> 2000
> poly
>=20
> % sudo ./root_test.sh
> 0
> root
>=20
> I think this is fully intended.

Although 'no setuid scripts' is pretty well embedded in the Unix psyche,
I was under the impression the underlying problem had been fixed some
time ago.

The problem with a setuid script is that there is a window of
opportunity between the system opening the script, parsing the #! line,
firing up the appropriate interpreter and having that *reopen* the
script to execute it -- if you can replace the script at just the right
time, you can get anything executed with root permissions.

This was solved, as I recall, by the system passing its already open
file descriptor on the original script to the interpreter.  That
requires the fdescfs pseudo-filesystem to be mounted, which populates
/dev/fd. You need the full fdescfs mounted -- devfs only gives you
filedescriptor devices for stdin, stdout and stderr for a process, and
that's not enough.

Even so, irrespective of fdescfs being mounted or not, it seems setuid
scripts are still disallowed.

	Cheers,

	Matthew



--NJXje4fi2mPL8r1Lh8bbUGvfuOT8jHnbK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJWyDT2XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATPOQP/iIE13GBQUa5GYty9mvCoJ5B
MmjKU4px4mh/jigu12reR/oZF016nFP+5znZ8jMpT9kAqYjQ7BIA68MD69/AT8ll
nIaJlKRH9QA31Zw+R+d5RmcbJREuSZAZW1S/8JCjRv55IbTuh9FhrZh2AweU5Hsp
UTUGaxpdmpeomH1/eFohcL9kHWfbR6pekUMjfjDz4KNdNSFajyW0sxJP8A10kuto
DZb5s3WYzUmRpi/p8NeCmEUeUQ/LEbWPk59VgI/iq3L9mRxbtlot4qbMHI5FkMFL
C943M9pgDRz1xH2KU+w8Rydk85MIqx5BFi5pv3btYLkPKNQOR+O6ZipqWHOjVkr8
tirhHMeqNSlCutH2O1mO7i+4H8szlRB52Ki8hqqdBwr2Y6qIjuzJjBhtAS04TE4d
O7VFoW6tWQLTf67EpqpWYgOIaoszRkvJRwB7Bww/zEu2Ce0IDw8gB+dO5NIhW+be
a+9V5H6bKCRYTdiGuzu7UiRckYY+q/lo1Z3FMzeqAMO1hURTJpEySdPelfa+dI3r
36sSM7niq5xS5ioP8DwHgZ+PTwTpXVgYCzHbnpoGUpd1wch06h+Ocv+oqdtaPCrg
KejuYBhltqy8dEHEwMj3xfT2LCDs3oEWrVTj6BzxwRUgSpEMIVYkSgqSMy332v2a
E+YMOJyRYwguQhkXOWz/
=COG0
-----END PGP SIGNATURE-----

--NJXje4fi2mPL8r1Lh8bbUGvfuOT8jHnbK--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?56C834F0.4020000>