Date: Sat, 29 Aug 2009 19:21:57 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: RW <rwmaillists@googlemail.com> Cc: freebsd-questions@freebsd.org Subject: Re: SUID permission on Bash script Message-ID: <4A9971C5.1080308@infracaninophile.co.uk> In-Reply-To: <20090829134436.4461d8c9@gumby.homeunix.com> References: <beaf3aa50908280124pbd2c760v8d51eb4ae965dedc@mail.gmail.com> <87y6p4pbd0.fsf@kobe.laptop> <20090829022431.5841d4de@gumby.homeunix.com> <4A98A8A1.7070305@prgmr.com> <4a98d375.W9fcoTOIN1DqRk/3%perryh@pluto.rain.com> <20090829134436.4461d8c9@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE4AF1D4B9A72E543D1387278 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable RW wrote: > On Sat, 29 Aug 2009 00:06:29 -0700 > perryh@pluto.rain.com wrote: >=20 >> Michael David Crawford <mdc@prgmr.com> wrote: >>> It's not that setuid shell scripts are really more >>> inherently insecure than programs written in C. >> Actually, absent some careful cooperation between the kernel >> and the interpreter to prevent a race condition that can cause >> the interpreter to run (with elevated permissions) a completely >> different script than the one that was marked setuid, setuid >> scripts _are_ insecure in a way that _cannot_ be fixed by any >> degree of care that might be taken in the writing of the script. >> >> Check the hackers@ archives. It was discussed a little over a >> month ago. >=20 > But is isn't that the same issue that Matthew Seaman was saying was > fixed years ago (in the link I gave before), and is described in the > follow-up: >=20 > http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.htm= l >=20 > That's entirely in the kernel, it doesn't require interpreter support. The race condition between the kernel opening the script and the interpre= ter doing so should certainly be fixed in any Unix or Linux distribution avai= lable today. Either, as above, by the kernel passing an open file descriptor t= o the invoked script, or simply by ignoring any setuid or setgid bits on interp= reted scripts. There are other attacks against SUID scripts -- see for instance: http://www.tech-faq.com/suid-root-script-binary.shtml http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html most of which work by exploiting the sort of features of the scripting language that make it into a powerful and useful tool. Almost all of the= se sort of exploits can be avoided by careful programming -- for instance, always explicitly setting $IFS and $PATH to known good values, or using t= he one set of command line flags allowed on the #! line to block the '-i' t= rick (ie. use '#!/bin/sh --' which forces any subsequent items on the command line to be treated as files rather than command options). However, you (the programmer) would have to know all about the various tricks for=20 exploiting suid-ness in order to counter them. The preferred way of running a script SUID is to write a very small C=20 wrapper program that can be made SUID and that executes the script after gaining increased privileges. Done well, this is definitely the best and= most secure approach. Note however that the C wrapper must be similarly as carefully written as a suid script or many of the same exploits could sti= ll be possible. So, unless you are an expert programmer and understand how to defend your= code against attack, your best bet really is to just use sudo(8). Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigE4AF1D4B9A72E543D1387278 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkqZccwACgkQ8Mjk52CukIyuCwCffQyeElJCo7vO182PVgpRThK9 9JIAn0c4bk80fjSiJqHWvBeZHopZBXvc =fZw1 -----END PGP SIGNATURE----- --------------enigE4AF1D4B9A72E543D1387278--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A9971C5.1080308>