Re: mount question

To: Joerg Schilling <schilling@fokus.fraunhofer.de>
Cc: kh1dump@khherrmann.de, cdwrite@other.debian.org
Subject: Re: mount question
From: Greg Wooledge <wooledg@eeg.ccf.org>
Date: Tue, 3 May 2005 08:15:12 -0400
Message-id: <[🔎] 20050503121512.GV14372@eeg.ccf.org>
Mail-followup-to: Joerg Schilling <schilling@fokus.fraunhofer.de>, kh1dump@khherrmann.de, cdwrite@other.debian.org
In-reply-to: <[🔎] 42764AF4.nailIDV51KOIP@burner>
References: <20050428120629.3D39FDADD2@numa-i.igpm.rwth-aachen.de> <20050428212645.57638449.kh1dump@khherrmann.de> <[🔎] 42764AF4.nailIDV51KOIP@burner>

On Mon, May 02, 2005 at 05:44:52PM +0200, Joerg Schilling wrote:
> Suid shell scripts work since approx. 25 years.

Only on *some* operating systems.  On others, the setuid/setgid bits
are ignored when the kernel handles the shebang.

Example 1:
imadev:~$ uname -a
HP-UX imadev B.10.20 A 9000/785 2008897791 two-user license
imadev:~$ id
uid=563(wooledg) gid=22(pgmr) groups=1002(webauth),208(opgmr)
imadev:~$ ls -l foo.sh
-rwsr-xr-x   1 root       sys             22 May  3 08:04 foo.sh
imadev:~$ cat foo.sh
#!/bin/sh
/usr/bin/id
imadev:~$ ./foo.sh
uid=563(wooledg) gid=22(pgmr) euid=0(root) groups=1002(webauth),208(opgmr)

Example 2:
svr1a:~$ uname -a
Linux svr1a 2.2.26 #2 Wed Feb 25 12:48:36 EST 2004 i686 unknown
svr1a:~$ id
uid=563(wooledg) gid=22(voice) groups=22(voice),97(vsifax),1002(webauth),208(opgmr)
svr1a:~$ ls -l foo.sh
-rwsr-xr-x    1 root     sys            22 May  3 08:04 foo.sh
svr1a:~$ cat foo.sh
#!/bin/sh
/usr/bin/id
svr1a:~$ ./foo.sh
uid=563(wooledg) gid=22(voice) groups=22(voice),97(vsifax),1002(webauth),208(opgmr)

That is, in fact, precisely the same file.  My home dir is shared over NFS.
Just to alleviate any questions of mount options, here's what the Linux box
actually shows for the file system in question:

imadev:/home/wooledg on /net/home/wooledg type nfs (rw,hard,intr,addr=10.76.142.103)

I could repeat the test on /var/tmp if you wish.  That's a local ext2
file system with no options other than "rw".

> The problem if course is security.......
> 
> Since 1990, /bin/sh will revert to euid==uid in case euid!=uid
> except when you use:
> 
> #!/bin/sh -p

svr1a:~$ ls -l foo.sh 
-rwsr-xr-x    1 root     sys            25 May  3 08:07 foo.sh
svr1a:~$ cat foo.sh
#!/bin/sh -p
/usr/bin/id
svr1a:~$ ./foo.sh
uid=563(wooledg) gid=22(voice) groups=22(voice),97(vsifax),1002(webauth),208(opgmr)

The "-p" has nothing to do with it on this system.  Perhaps on Solaris it
might have some effect, but on Linux, there is none.  It's the *kernel*
that ignores the setuid bit on a shebang-driven script.  Nothing that
/bin/sh does can elevate its own privileges beyond those with which it
was spawned.  (If Solaris can do it, then it's because /bin/sh is setuid,
or has a setuid helper/consort program that it can invoke, a la suidperl.)

Reply to:

References:
- Re: mount question
  - From: Joerg Schilling <schilling@fokus.fraunhofer.de>

Prev by Date: Re: mount question
Next by Date: Re: support for dual-layer dvds?
Previous by thread: Re: mount question
Next by thread: Re: support for dual-layer dvds?
Index(es):
- Date
- Thread