how to setuid for shell scripts on ultrix? (really: SETUID STRIPTS ARE A SECURITY HOLE)

Peter Lamb prl at iis.UUCP
Fri Nov 16 12:57:11 AEST 1990 

In article <1990Nov15.181448.23231 at mdivax1.uucp>:

>In article <25009 at adm.brl.mil> K390590%AEARN at pucc.princeton.edu ( Steinparz Franz) writes:
>I have always been under the impression that setuid shell scripts
>intentionally do not work for BSD derived unixes in deference to security
>considerations.

The ability to run setuid shell scripts is inherently tied up
with the #!/path/name header for a script. I seem to remember that
this originated with BSD, but I'm no longer certain.

>However, our experience with ultrix 4.0 (and I believe
>2.0) is that *if and only if* "#!/bin/some-shell" is the first line of the
>script, then setuid will work for that script.

This is true. This is true for all BSD derivatives I know.

>However, does this behaviour
>not violate the whole point of not allowing setuid shell scripts - i.e.,
>that they are a security risk?  And, if it was indeed the intention to
>allow setuid shell scripts, why not go all the way and not require the
>leading "#!/bin/shell" as is the case with System V?

I'm a bit confused by this. I don't think that you need a #! header
in SysV for non-setuid shell scripts. I think that it probably still
honours the old practice of:

1) The shell tries to exec the script with exec[vl](2). If it has
   a #! header, the kernel executes the program named in the header
   and passes it the name of the script as an argument.

2) If the exec() fails, what happens depends on the shell:
	if you are trying to run the program from Bourne shell,
	then the shell forks and the child reads the script as commands.

	if you are using csh, then csh examines the first byte
	of the file, and if it's a #, then csh forks and
	reads the file as commands, otherwise
	it forks, and execs /bin/sh with the pathname of the script
	as its argument.

The reasons behind the strategy in 2) are rather archane; the Bourne shell
predated csh, and in *that* (V7) version of the Bourne shell, # was not
a comment character; so that csh could run both sh and csh scripts,
csh scripts had to start with a #, since this was an unlikely
first character for a (V7) sh script (In V7 there was no #!/path/name
hack). Confused? I am!

You should also note that #! is not restricted to shells. If you
can predict what the following #! executable will do, you
are well on the way to understanding all this:

#!/bin/cat
hello squire

(You need to put it in a file and make it executable. What happens
when you run it? [retorical question :-)])

Those in need of a bit more of a challenge might try:

#!/bin/sed /^#/d
hello sailor


HOWEVER, before you dash off and start making setuid shell scripts:

	SETUID SHELL SCRIPTS ARE INHERENTLY A SECURITY HOLE!

		You *CAN'T* make them hackerproof.

The only exceptions I know to this are Larry Wall's perl interpreter
and Maarten Litmaat's setuid program (but make sure you get his
*second* release, not the first, to comp.sources.unix).

Since bulletproof /bin/sh and /bin/csh programs are notoriously
difficult to write, even in the absence of the kernel problem,
my recommendation is perl.
Peter Lamb
uucp:  uunet!mcsun!ethz!prl	eunet: prl at iis.ethz.ch	Tel:   +411 256 5241
Integrated Systems Laboratory
ETH-Zentrum, 8092 Zurich

More information about the Comp.unix.ultrix mailing list