show me

[Henry Spencer]

In article <43200021 at uicsrd.csrd.uiuc.edu> kai at uicsrd.csrd.uiuc.edu writes:
>I've seen talk about how unsafe setuid shell scripts are, but haven't ever
>seen any examples that prove this.  Would someone please explain to me know
>why, as a system administrator, I shouldn't ever use setuid/setgid shell
>scripts?

The basic, underlying, fundamental problem is that the shell -- any shell --
is a complex command interpreter that was not designed with security in
mind.  (Compare this to the hardware, which is also a somewhat complicated
command interpreter but was carefully designed to protect the operating
system from user misbehavior.)  There are numerous ways to trick shells into
doing things that the script-writer did not expect.  In general, any one
specific security hole can be plugged -- sometimes at a substantial price --
but the shells are simply too big and too complex for anyone to be confident
that the last hole has been found.

If you want a case in point, here's an oldie:  execute the shell script
with the IFS environment variable set to something bizarre, and watch the
shell break the script up into words in a totally unexpected way that can
result in unexpected programs being invoked.  This one's not hard to fix --
there is no good reason for the shell to accept IFS from the environment
at all, and ours doesn't -- but there are more where that came from.
-- 
MSDOS is not dead, it just     |     Henry Spencer at U of Toronto Zoology
smells that way.               | uunet!mnetor!utzoo!henry henry at zoo.toronto.edu