[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setgid-wrapper



Steven Augart wrote:
> First, a retraction:
> 
> James Damour wrote:
> >On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
> >>As you probably know, when a shell sees that it is running a setuid or 
> >>setgid shell script, it detects this because the euid and ruid or egid 
> >>and rgid are different.  It "fixes" this by setting the euid to be the 
> >>same as the ruid, and/or egid the same as the rgid, effectively 
> >>turning off the setuid/setgid bit.
> >
> >Actually, I didn't know that.  Thanks for the info!

You will only see this on systems which allow set-uid shell scripts.
Here is an example from HP-UX.

  #!/bin/sh -p
  id

Setuid outputs:
  uid=1423(rwp) gid=2000(esl) euid=0(root) ... long list of groups deleted...

> Jeroen van Wolffear wrote:
> > Huh? This is wrong. It is the kernel who refuses to set the UID or GID
> > on execution of setuid/gid shell scripts.

On Linux.  But not on the classic UNIX kernels.

> > Where did you read that?
> 
> It probably started from programming on 2.9 BSD and 4.2 BSD
> and 4.3 BSD Unix systems, where (if I recall correctly) setuid
> shell scripts worked.

Yes.  Set-uid shell scripts work on HP-UX, for example, the kernel of
which is a derivative of 4.2 BSD.  ("Work" used loosely here, because
it is a bad thing.)

However, setuid shell scripts are such a security hole that they
should never exist.  Much of the time spent by the security scanners
for unix scan for just such problems.

> I have spent the past four years confused on this issue, mislead by the
> discussion of the -p flag on the Bash 2.05b manual page:
> 
>   Turning this option off causes the effective user and group ids
>   to be set to the real user and group ids.
> 
> Now I know why I had such trouble getting setuid programs to work
> on Linux.

Remember that bash runs on many systems such as Solaris, AIX, HP-UX,
etc. and not just on Linux.  Therefore there is a lot of baggage to
work around classic bugs that modern systems have corrected.  If those
systems would update they would fix this too.  But they are even more
stable that Debian stable!  :-)

Bob

Attachment: pgpe6WlE8kxc_.pgp
Description: PGP signature


Reply to: