>>>>>>>VITAL warning on suid shell scripts <<<<<<<<<<<<<<

dcm at plato.austin.ibm.com dcm at plato.austin.ibm.com
Thu May 23 02:27:05 AEST 1991 

In article <JROWE.91May14173008 at exua.exua.exeter.ac.uk> JRowe at exua.exeter.ac.uk (John Rowe) writes:
>
>   In article <9357.282caa94 at jetson.uh.edu> elee4fg at jetson.uh.edu writes:
>   >
>   >1) csh does not support suid. If your csh suid scripts file has this
>   >  #!/bin/csh
>   >   It won't work.
>   >  Your need to do this in ksh
>
>Craig>>	   I believe this is not an AIXism but is a BSDism.  The BSD4.3
>Craig>>	   csh source I have access to does not support suid either.  This
>Craig>>	   is documented, I believe.
>
>suid shell scripts are a well known security NIGHTMARE. It is VERY VERY
>simple to use one of these to gain TOTAL root access. 


	How is this relevant to the csh discussion?  All I was saying was
	"by default, csh disallows suid scripts".  I think you can override
	that with '-b' (or something).  Who cares about csh anyway?  :-)

	Oh, BTW, Yes, I know that "suid shell scripts are a well known
	security NIGHTMARE".  That's been a fact ever since BSD introduced
	an exec system call that could handle shell scripts.  That was a
	long long time ago.


>	I TRIED WITH KSH UNDER AIX 3.1 (no revs) AND IT WORKED. 

	Yep.  Aix3.1's exec() supports scripts.  Suid will probably work
	for any script (besides csh I guess).  Heck, you can even write a
	suid awk script.


>	I, as an ordinary user, became root to do anything I liked. So
>please, warn every one you know never to allow suid shell scripts. This
>problem has been common knowledge for a long time but vendors are only
>now starting to worry about it.

	(1) if you can become root by using a shipped script, then report
	it as a defect.  (2) Yes, I admit shipped suid shell scripts are
	probably security holes.  (3) However, I don't agree that the concept of
	allowing suid shell scripts is a bug.
	
	If your system administrator messes up and writes a buggy suid script,
	it's his fault.  If we mess up and ship buggy scripts, it's our fault
	(and we should be shot).

	I've always argued that we should ship with suid scripts enabled,
	BUT document the possible security considerations extensibly.  And
	be sure NOT to ship security holes ourselves!

	Why ruin something useful for everyone by just "turning it off"?  Sigh.


>Of course it *may* have been fixed in later releases :-)

	I hope not (IMHO).

>Sorry to come on so strong - what worries me is that Craig is from IBM
>at Austin...


	I don't see how this has any relevance either.  Yep, I'm currently
	at IBM in Austin.  I even work on The Change Team.  Our charter
	is to fix customer-reported defects.

	IMHO, you haven't pointed any defects out.

	(ob disclaimer: I do not represent IBM.  Everything I say is strictly
	 my own opinion.)

>John Rowe
>Exeter University Computational Physics Group
>Exeter
>UK

More information about the Comp.unix.aix mailing list