Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour
On 12/24/2013 04:34 AM, Reco wrote:
> Hi.
>
snip
>
> I'm not Paul, but that's simple.
> Setuid bit is ignored for scripts.
>
> The reason for it is - the only thing that's able to spawn a process is
> an executable, which has certain format (ELF for Linux, possibly a.out
> - that depends on a kernel configuration).
>
> Every time you execute a script, you, in fact, are invoking script
> interpreter (probably /bin/sh in this case), which, in turn,
> executes your script.
>
> So, to make your script work you can:
>
> a) Bad idea.
>
> Set suid bit on an appropriate script interpreter.
>
> b) So-so idea.
>
> Write your own BINARY executable and set suid bit on it.
>
> c) Good idea.
>
> Use sudo(1).
>
> Reco
>
Something your message reminded me of:
In a webserver environment, suid/guid doesn't really matter, even if
they did work on scripts. The apache/php process is reading the file's
contents and running what's in it, not directly running it as a program
or script via the shell. That's why php scripts are usually -rw-r--r--
and not -rwxr-xr-x. The executable bit, like setuid/setgid, is
interpreted by the shell.
In that situation, it only matters that the process owner can read the
file.
- PaulNM
Reply to: