Are suid shell scripts using /bin/csh secure
Ian Phillipps
mcvax!camcon.co.uk!igp at uunet.uu.net
Wed Apr 26 17:58:11 AEST 1989
attcan!utzoo!henry at uunet.uu.net writes:
>>I know of three common modes of attack on set-uid shell scripts, all of
>>which I have failed to apply successfully to reasonably written shell
>>scripts under /bin/csh...
>>The question is, are there any other ways in which shell scripts can be
>>broken, and which shells do they apply to?
>The real question is, are you confident that there *aren't* any others?
>(If you want another one to check out... Can csh be tricked, by invoking
>it with suitable arguments, into running the equivalent of a .profile
>before running the script?)
No trickery needed! It's the default!
Verified with csh on Sunos 4.0 and a .cshrc file containing "whoami".
The script starts with "#!/bin/csh -b" : putting -fb plugs this hole. The
-b flag is specifically designed to stop this very problem, and csh will
not run suid without it.
Having said that, though, my experience of csh is that it has so many
quirks that I, for one am not "confident".
Larry Wall says that Berkeley 4.? kernels are insecure (reasons left
unstated to protect the guilty) for ANY shell script, even perl :-), and
has gone to some trouble to circumvent this. Maybe you trust perl less
than csh, but at least the author has thought about the problem, and has
issued an unanswered challenge for anyone to break perl scripts' security.
And you can flame him on the net if it doesn't work :-)
UUCP: igp at camcon.co.uk | Cambridge Consultants Ltd | Ian Phillipps
or: igp at camcon.uucp | Science Park, Milton Road |-----------------
Phone: +44 223 420024 | Cambridge CB4 4DW, England |
More information about the Comp.sys.sun
mailing list