[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suid script



Le 03-Dec-98, Joey Hess a pris ses électrons pour écrire:
> Brandon Mitchell wrote:
>> Dang, looks like you are right Joey, at least I can't get a counter
>> example working.  I have been forced to write csh scripts on linux that
>> are run by suid programs because bash will drop it's privleges to the
>> real user id. So, at least is some aspects, bash is worse than others.
>> Any idea why the kernel does this (if it really does, I'm still not sure
>> of it)? 
> 
> Because shell scripts are supposidly very often full of securitry holes when
> suid.

As far as i know it's not a problem of bugs or anything.
It's a general problem.
What i have understood (i'm not an expert)

the executable (bash, whatever) opens the file 
it closes it
it changes uid/gid to reflect suid status -> so it becames root or whatever
it reopens it
and executes it

problem: you can change the content of the file between the two !!
so you can have your script, running as root, executing whatever you want !!

I heard that some Unix systems (Solaris i think but not sure) provide a way to
overcome this by feeding the script to the executable through /dev/3 or
something like it (like a new STDIN)

Patrick

/\//\/\/\\/\/\//\/\\/\/\\/\\/\//\/\\/\//\/\\/\//\/\\/\//\/\\
Patrick M.   pat@patoche.org    http://www.patoche.org/
Sysadmin of patoche.org, globenet.org, bde.espci.fr


Reply to: