Secure setuid shell scripts
terryl at tekcrl.CRL.TEK.COM
terryl at tekcrl.CRL.TEK.COM
Sat Oct 22 03:23:25 AEST 1988
In article <4409 at bsu-cs.UUCP> dhesi at bsu-cs.UUCP (Rahul Dhesi) writes:
>If a 4.3BSD system has not been patched to disallow set-user-id shell
>scripts, but root uses no set-user-id scripts, does a security hole
>still exist that will allow an unprivileged user to obtain root
>privileges?
Yes. The problem is not that root uses a set-user-id shell script,
but that there exists anywhere in the file system a set-user-id shell
script THAT I CAN EXECUTE AS A MERE MORTAL(i.e. normal user). If such
a set-user-id shell script does exist, then in a manner of minutes
(depending on how fast I can type!!! (-:) I can become the id of that
shell script!!!! No matter the id, if I can execute it, I can be that id,
without knowing the password or any other such trickery. If it's a
set-user-id shell script to root, you know the old saying "Well, bend
over backwards and kiss your ..... goodbye!!!
As has been alluded to MANY times in the past, the problem is NOT
in the semantics of the shell language (i.e. sh, csh, ksh), but in the
semantics of the file system itself. Think about it for a while. I know
when this first hit I said, "Boy, sure sounds like a lot of paranoia to
me". But, after thinking about it for a week or so, the little light
(literally!!) when on inside my head, and then I said, "Yuck!!! That's
not mere paranoia, that's a genuine security hole that's not easily
fixed" (short of disallowing set-user-id shell scripts).
Just as a little more information, I do need a directory that I can
write to, but it doesn't have to be anywhere special. Since /tmp (and
usually /usr/tmp) is writable by everyone in the world, this will suit
my needs just fine.
More information about the Comp.unix.wizards
mailing list