[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour


On 12/24/2013 04:34 AM, Reco wrote:
>  Hi.
> 
snip
> 
> I'm not Paul, but that's simple.
> Setuid bit is ignored for scripts.
> 
> The reason for it is - the only thing that's able to spawn a process is
> an executable, which has certain format (ELF for Linux, possibly a.out
> - that depends on a kernel configuration).
> 
> Every time you execute a script, you, in fact, are invoking script
> interpreter (probably /bin/sh in this case), which, in turn,
> executes your script.
> 
> So, to make your script work you can:
> 
> a) Bad idea.
> 
> Set suid bit on an appropriate script interpreter.
> 
> b) So-so idea.
> 
> Write your own BINARY executable and set suid bit on it.
> 
> c) Good idea.
> 
> Use sudo(1).
> 
> Reco
> 

Something your message reminded me of:

In a webserver environment, suid/guid doesn't really matter, even if
they did work on scripts.  The apache/php process is reading the file's
contents and running what's in it, not directly running it as a program
or script via the shell.  That's why php scripts are usually -rw-r--r--
and not -rwxr-xr-x. The executable bit, like setuid/setgid, is
interpreted by the shell.

In that situation, it only matters that the process owner can read the
file.

- PaulNM
Reply to: