Re: SUID Shell scripts?

[Steven Pritchard <steve@silug.org>]

--Damacus-- said:
> In the past, I tried running a 4755 bash script (owned by root, of course) as
> a normal user and the scrip was executed as a non-root user.
> 
> That's not too bad since I was able to write a C program for the SUID
> operations anyhow, but still, does Linux allow SUID scripts?

No.  Allowing scripts to be setuid is inherently insecure.  Older Unix
systems would allow it.

Imagine this scenario:

    You have a setuid script /usr/local/bin/dosomething.
    You make a symlink to it in your home directory.
    You execute ./dosomething.
    The OS looks at the script and sees it needs to run /bin/sh setuid.
    You replace the symlink with your own script.
    /bin/sh starts up, with your script as the argument.
    /bin/sh runs your script setuid.

I think that's how the exploit goes.  The idea is that you could do a
rename() (and maybe an unlink()) a lot quicker than the whole
procedure of reading the first line of the script, exec()'ing the new
shell, etc.

There is a secure way to do setuid shell scripts that involves passing
an open file descriptor to the shell instead of a filename, but I'm
not sure what systems implement that.  (I think Solaris does, using
/dev/fd/*, and I've seen it done as a proof-of-concept on Linux using
/proc/self/fd/*.)

Steve
-- 
steve@silug.org           | Linux Users of Central Illinois
(217)698-1694             | Meetings the 4th Tuesday of every month
Steven Pritchard          | http://www.luci.org/ for more info

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.