Re: VI wrapper for SUDO? - another bad way ??

To: Gerfried Fuchs <alfie@ist.org>
Cc: William R Ward <bill@wards.net>, debian-security@lists.debian.org
Subject: Re: VI wrapper for SUDO? - another bad way ??
From: bill@wards.net (William R. Ward)
Date: Tue, 4 Dec 2001 11:56:47 -0800
Message-id: <[🔎] 15373.10879.147701.771579@komodo.home.wards.net>
In-reply-to: <20011204194434.GB5083@asgard.pte.at>
References: <m27ks9f61n.fsf@komodo.home.wards.net> <Pine.LNX.3.96.1011129172429.23706A100000@Maggie.LinuxConsulting.com> <15366.59464.882232.197928@komodo.home.wards.net> <[🔎] 20011202181642.D4667@fishbowl.madduck.net> <m2r8qck7qw.fsf@komodo.home.wards.net> <20011204194434.GB5083@asgard.pte.at>

Gerfried Fuchs writes:
>* William R Ward <bill@wards.net> [2001-12-03 00:50]:
>> Right; but assuming one takes care of this kind of issue, is there
>> anything inherently unsafe about running shell scripts through sudo?
>
> shell scripts usually call other programs - whose behavior could be
>most of the time changed with env-variables.  It's almost impossible to
>think of all those things.

Yes, it is difficult, but if one is conscientious enough about
checking all the environment variables and such it can be done.

>> I understand that there are risks of race conditions with setuid shell
>> scripts, and so they are disabled on most Linux boxen.
>
> You have a misinformation/misinterpretation there.  It's not disabled,
>it's simply not possible in the way scripts are run.  They are passed to
>the program that is given in it's first line, after the #! - or to the
>current shell, if there is no such line.  As *argument*.
>
> If you think about it how should the suid/sgid bit from an argument be
>given over to the program which handles that file?  There's no way other
>than using wrappers, like sudo.

It's been an option on traditional Unix systems for a long time.  When
kernel runs the interpreter listed on the #! line, it does so with
suid/sgid access enabled.  It's not really any more difficult than
launching binaries.  It's the kernel, not the shell, that parses the
#! line.  I'm not sure in what ways Linux may differ from traditional
Unix on this point, however.

>> Is that also an issue for sudo shell scripts?
>
> You should give sudo access to a shell script only to those persons who
>you trust.  After all, think about it - is root really needed there?
>Most parts don't really need root but can be done through group usages,
>like most things in Debian works.  That gives you another level of
>abstraction/security.

A lot of things, like sendmail for a prominent example, may use group
accounts but still expect the files to be owned and writable only by
root.

> Btw, why was this mailed to debian-security?  I don't see anything
>related to debian in that, some general linux (security)
>mailinglist/newsgroup would suit better.

Because the thread originated there.  The original idea was
debian-related, in that I wanted to be able to have /etc/alternatives
be consulted when deciding what editor to invoke.

--Bill.

-- 
William R Ward            bill@wards.net          http://www.wards.net/~bill/
-----------------------------------------------------------------------------
     If you're not part of the solution, you're part of the precipitate.

Reply to:

Follow-Ups:
- Re: VI wrapper for SUDO? - another bad way ??
  - From: Gerfried Fuchs <alfie@ist.org>
- Re: VI wrapper for SUDO? - another bad way ??
  - From: Alan Shutko <ats@acm.org>
- Re: VI wrapper for SUDO? - another bad way ??
  - From: tb@becket.net (Thomas Bushnell, BSG)

References:
- Re: VI wrapper for SUDO? - another bad way ??
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: VI wrapper for SUDO? - another bad way ??
Next by Date: Re: VI wrapper for SUDO? - another bad way ??
Previous by thread: Re: VI wrapper for SUDO? - another bad way ??
Next by thread: Re: VI wrapper for SUDO? - another bad way ??
Index(es):
- Date
- Thread