show me
Bruce G. Barnett
barnett at vdsvax.steinmetz.ge.com
Fri Aug 5 13:26:56 AEST 1988
In article <1570005 at hpcvlx.HP.COM> squires at hpcvlx.HP.COM (Matt Squires) writes:
|The issue is giving a user a setuid shell SCRIPT, not a setuid shell! Of
|course, if you give a user a flippin' root shell, he or she can do anything
|under the sun! That is what root shells are for!
|
|The issue is why are setuid SCRIPTS a security problem.
With a setuid shell script, a hacker could get a root shell in 10
seconds. It doesn't matter WHAT is in the shell script. Setuid scripts are
basically insecure. There is NO work-around, unless the vendor's
software has closed ALL of the holes.
You MIGHT consider having a setuid script in a directory where
only one group or user can execute it. This only limits the access to
the hole. That is, it makes the number of tasks to break in longer.
Then you have to make two user ID's are secure instead of one. Not Good.
Just to give you a taste of the types of problems with setuid shell scripts,
have you considered:
1. People can alias '/bin/cat' in their .cshrc
2. shell scripts import environment variables like PATH
3. Shell scripts, and several programs output to various file
descriptors. These can be redirected to other files
4. Temporary files can be modified in the middle of a routine,
if access is wrong
But these are *Nothing* compared to the real hole.
The hole is small, but tough to close. See the summary line.
Avoid setuid shell scripts.
--
Bruce G. Barnett <barnett at ge-crd.ARPA> <barnett at steinmetz.UUCP>
uunet!steinmetz!barnett
More information about the Comp.unix.wizards
mailing list