Re: setgid-wrapper

To: debian-devel@lists.debian.org
Subject: Re: setgid-wrapper
From: "Miquel van Smoorenburg" <miquels@cistron.nl>
Date: Thu, 20 May 2004 08:31:35 +0000 (UTC)
Message-id: <[🔎] c8hqd7$dmj$1@news.cistron.nl>
References: <[🔎] 1084278352.2373.35.camel@hovel.lepus.org> <[🔎] 1084967626.2373.141.camel@hovel.lepus.org> <[🔎] 40ABCA52.8070908@watson.ibm.com> <[🔎] 20040520055516.GA9277@misery.proulx.com>

In article <[🔎] 20040520055516.GA9277@misery.proulx.com>,
Bob Proulx <bob@proulx.com> wrote:
>However, setuid shell scripts are such a security hole that they
>should never exist.  Much of the time spent by the security scanners
>for unix scan for just such problems.

This is true. On most systems, it's trivial to exploit a suid
shell script. Often the shell reads ~/.bashrc or a similar file
at startup - put your exploit there and you're done. Or put it
in $BASH_ENV. Or, if the shell script doesn't reset the PATH,
just change the PATH to include a directory with your exploit
named after one of the commands that the shell calls. Then
there's the IFS exploit. etc etc etc.

For every 10 setuid shell scripts, 9 are exploitable. Maybe 10.

Mike.

Reply to:

References:
- ITA: filler - Simple game in Java
  - From: James Damour <jdamour@nycap.rr.com>
- Re: setgid-wrapper
  - From: James Damour <jdamour@nycap.rr.com>
- Re: setgid-wrapper
  - From: Steven Augart <augart@watson.ibm.com>
- Re: setgid-wrapper
  - From: bob@proulx.com (Bob Proulx)

Prev by Date: Re: @debian.org email forwarding and SPF
Next by Date: Re: @debian.org email forwarding and SPF
Previous by thread: Re: setgid-wrapper
Next by thread: Dia 0.93 in Debian (experimental)
Index(es):
- Date
- Thread