[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VI wrapper for SUDO? - another bad way ??

* William R. Ward <bill@wards.net> [2001-12-04 11:56]:
> Yes, it is difficult, but if one is conscientious enough about
> checking all the environment variables and such it can be done.

 For oneliners, maybe.  But even there it's hard.  YMMV.  I can find
better things than trying to secure shell scripts.

>>> I understand that there are risks of race conditions with setuid shell
>>> scripts, and so they are disabled on most Linux boxen.
>>
>> You have a misinformation/misinterpretation there.  It's not disabled,
>>it's simply not possible in the way scripts are run.  They are passed to
>>the program that is given in it's first line, after the #! - or to the
>>current shell, if there is no such line.  As *argument*.
>>
>> If you think about it how should the suid/sgid bit from an argument be
>>given over to the program which handles that file?  There's no way other
>>than using wrappers, like sudo.
> 
> It's been an option on traditional Unix systems for a long time.

 Linux Is Not UniX.

> When kernel runs the interpreter listed on the #! line, it does so
> with suid/sgid access enabled.

 Yes, for the interpreter.  Do you see the contradiction?  It runs
suid/sgid enabled for the interpreter but not for the argument that is
handed to the interpreter.

> It's the kernel, not the shell, that parses the #! line.

 I didn't say anything else....

> I'm not sure in what ways Linux may differ from traditional Unix on
> this point, however.

 In the way that Linux Is Not UniX.  And furthermore, it's of course not
traditionally (which IMHO most of the times means old-fasioned).  Linux
goes it's own way.

> A lot of things, like sendmail for a prominent example, may use group
> accounts but still expect the files to be owned and writable only by
> root.

 So?  I still don't know what your virtual shell script is about to do.
I still see no contradiction there.  The files that are owned and
writeable only by root for sendmail are usually those that are config
files, right?

>> Btw, why was this mailed to debian-security?  I don't see anything
>>related to debian in that, some general linux (security)
>>mailinglist/newsgroup would suit better.
> 
> Because the thread originated there.

 I haven't seen it before here.  Do you really mean
<debian-security@debian.org> and not <debian-security@LISTS.debian.org>?
Those are two totally different things....  Maybe you have to resend
your message there to let it show up in the correct list.  You have my
permission to send my messages there, too.  For completeness.  But
please add that I don't read <debian-security@LISTS.debian.org> so if
someone answers s/he should consider to Cc: me if it seems relevant.

> The original idea was debian-related, in that I wanted to be able to
> have /etc/alternatives be consulted when deciding what editor to
> invoke.

 /etc/alternatives is readable by every user.  If you want just to
decide there is no need to do this as root.

 HTH,
Alfie
-- 
<Angel`Eye> installations anleitung für intelx86 richtig ?
<Salz> Angel`Eye: Kommt auf deinen Rechner an. Wenn du die Antwort nicht weiß,
       ist sie ja.
                                        -- #debian.de
Reply to: