setuid shell scripts (was: Re: Running processes as root)
terryl at tekcrl.LABS.TEK.COM
terryl at tekcrl.LABS.TEK.COM
Thu Oct 26 04:49:19 AEST 1989
In article <3806 at solo7.cs.vu.nl> maart at cs.vu.nl (Maarten Litmaath) writes:
terryl at tekcrl.LABS.TEK.COM writes:
\In article <3803 at solo7.cs.vu.nl> maart at cs.vu.nl (Maarten Litmaath) writes:
\+chris at mimsy.umd.edu (Chris Torek) writes:
\+\In article <20329 at mimsy.umd.edu> (look, domain names now!) I wrote:
\+\>\On all of the BSD derivatives on which setuid scripts run setuid,
\+\>\all such setuid scripts are not secure.
\+\
\+\In article <3789 at solo6.cs.vu.nl> maart at cs.vu.nl (Maarten Litmaath) writes:
\+\>It almost never happens, but this time you seem to be wrong, Chris!
\+\
\+\Not really, because I meant `if you write /etc/foo, make it setuid, start
\+\it with ``#! /bin/csh -bf'', and run it, and it runs setuid, then it is
\+\not secure.'
\+
\+I'm sure this was what you meant, but it wasn't what you said! (Check again.)
\+Allright, you have already posted an article explaining the race condition,
\+but here's another story anyway, which explains how indir(1) can get things
\+right. Enjoy.
\
\ Not to pick nits, but Chris was *right* *both* times. As you have quoted
\him above, he said "On all of the BSD derivatives on which setuid scripts run
\setuid, all such setuid scripts are not secure."; implicit in this sentence
\is the fact that the only way to get a setuid script to run setuid, one must
\use the #! mechanism. So while Chris did not spell this out explicitly in his
\first posting, he did in his second. But he was still right the first time...
>Yeah, one must use the #! mechanism; SO WHAT!? I never denied that!
>And I showed how safe setuid scripts (NOTE: Chris didn't even say *shell*
>scripts) could be created. You want an example? Right, put the following
>in a file /etc/fubar:
>
> #!/bin/sh /etc/fubar
> echo "Am I right or am I right?"
>
>You're a pretty smart fellow if you can break this one (or you're root).
What needs to be added is the following fact: If a setuid shell script
uses ANY NON-BUILTIN command, I can become the owner of said setuid shell
script in a manner of minutes. In your above example, if the command "echo"
is not builtin to the shell, then yes, I can break the script in a manner of
minutes. If "echo" is builtin to the shell, then, no, I can't break the script.
>\PS:
>\ Is it time to post another way to breach security with a setuid shell
>\script that does NOT depend on the race condition with "unlink"????
>
>Yeah, go right ahead.
Well, now I can't tell if you're being sarcastic or not, but I'll wait
a few days before I post it. One small caveat, though: I do need one writable
directory, but it can be anywhere in the file system.....
Terry Laskodi
of
Tektronix
More information about the Comp.unix.questions
mailing list