Are suid shell scripts using /bin/csh secure
Mikel Lechner
ames!decwrl!teraida!mikel at uunet.uu.net
Fri Mar 31 15:08:48 AEST 1989
will%robots.oxford.ac.uk at nss.cs.ucl.ac.uk (Will Dickson) writes:
>> I know of three common modes of attack on set-uid shell scripts, all of
>> which I have failed to apply successfully to reasonably written shell
>> scripts under /bin/csh, but are successful against scripts with /bin/sh
[stuff elided]
>> The question is, are there any other ways in which shell scripts can be
>> broken, and which shells do they apply to?
Yes, there is a very important security hole in set userid shell scripts
that has been discussed in other newgroups. The problem is inherent in
the way the kernel invokes set userid shell scripts. The set userid shell
that is invoked can be spoofed into running a script other than the one
that is intended. I was able to verify the bug under SunOS 3.2 and 4.0
with a program I wrote.
The fix for this problem is for the shell to insure that the script it is
running is actually the one that caused it to be invoked. Neither shell
does this check, therefore they are both insecure. Best not to use set
userid shell scripts until this problem is fixed.
Mikel Lechner UUCP: {decwrl,sun}!teraida!mikel
Teradyne EDA Phone: (408) 980-5200
5155 Old Ironsides Drive
Santa Clara, Ca 95054
More information about the Comp.sys.sun
mailing list