stpeters@dawn.steinmetz (10/05/87)
In article <9615@brl-adm.ARPA> bzs@bu-cs.bu.EDU (Barry Shein) writes: > if [ -x foo ] > >in a shell script would always return true for any file if you were >root for some obscure reason. A related example is that uid 0 can always open and write to *device* files (/dev/widget etc.) even when the files are mode 000 (various versions of SunOS and Ultrix). We wanted a program to be able to "lock" devices sufficiently to prevent even an SA from accidently using them. > I had written a simple shell script for >the students called 'setpriv' which took either 'public' or 'private' >and a list of files and did something reasonable with the permission >bits. Be *extremely* wary of suid shell scripts. A local SA challenged me to write one he couldn't break. I lost every time (and learned a lot). There is an *enormous* hole that is totally independent of the script contents. Show me a suid script, and I can be running as uid 0 in 10 seconds. (BSD and derivatives at least, but I believe others as well.) SunOS 3.2 closed this particular hole for csh (but not sh) suid scripts, but I still wouldn't put one on my system. Dick St.Peters GE Corporate R&D, Schenectady, NY stpeters@ge-crd.arpa uunet!steinmetz!stpeters
guy%gorodish@Sun.COM (Guy Harris) (10/06/87)
> A related example is that uid 0 can always open and write to *device* > files (/dev/widget etc.) even when the files are mode 000 (various > versions of SunOS and Ultrix). We wanted a program to be able to > "lock" devices sufficiently to prevent even an SA from accidently > using them. As far as I know, *all* UNIX systems work this way; "root" is given read and write permissions on all files. > SunOS 3.2 closed this particular hole for csh (but not sh) suid > scripts, but I still wouldn't put one on my system. If it's the security hole I think you're referring to, it's closed for "sh" scripts as well. Note the "#!" lines in shell scripts in 4.3BSD. (Credit where credit is due: the C shell version of this hole was closed in the 4.3BSD C shell. SunOS 3.2 picked up this version of the C shell.) Another similar security problem was also fixed in 4.3 by changes to the way the "exec" family of system calls handles "#!"; this fix was also picked up by SunOS 3.2. However, your continuing concern is justified; somebody showed me a security hole with set-UID shell scripts that isn't fixed in 4.3. This one would be painful to fully fix. Guy Harris {ihnp4, decvax, seismo, decwrl, ...}!sun!guy guy@sun.com
stpeters@dawn.steinmetz (10/06/87)
>> SunOS 3.2 closed this particular hole for csh (but not sh) suid >> scripts, but I still wouldn't put one on my system. > >If it's the security hole I think you're referring to, it's closed for "sh" >scripts as well. Note the "#!" lines in shell scripts in 4.3BSD. Maybe we're talking different holes. It's not closed for "sh" on my SunOS 3.2 system. I don't have 4.3BSD available, but I'll try it on a local 3.4 Sun. Dick St.Peters GE Corporate R&D, Schenectady, NY stpeters@ge-crd.arpa uunet!steinmetz!stpeters
stpeters@dawn.steinmetz (10/07/87)
>Maybe we're talking different holes. It's not closed for "sh" on my >SunOS 3.2 system. I don't have 4.3BSD available, but I'll try it on a >local 3.4 Sun. The hole is still there under 3.4. Dick St.Peters GE Corporate R&D, Schenectady, NY stpeters@ge-crd.arpa uunet!steinmetz!stpeters
bzs@bu-cs.bu.EDU (Barry Shein) (10/08/87)
>> I had written a simple shell script for >>the students called 'setpriv' which took either 'public' or 'private' >>and a list of files and did something reasonable with the permission >>bits. > >Be *extremely* wary of suid shell scripts. A local SA challenged me >to write one he couldn't break. I lost every time (and learned a lot). Agreed, but I assure you there is no need for such a script to be suid, it simply sets up a chmod for the user on his/her own file. It was just a convenience, mostly because it looked kind of like the system they came from as frosh so they could manage their file security before they became grounded in unix. -B
allbery@ncoast.UUCP (Brandon Allbery) (10/10/87)
As quoted from <7525@steinmetz.steinmetz.UUCP> by stpeters@dawn.steinmetz: +--------------- | There is an *enormous* hole that is totally independent of the script | contents. Show me a suid script, and I can be running as uid 0 in 10 | seconds. (BSD and derivatives at least, but I believe others as well.) +--------------- Aside from the fact that I saw nothing saying that either (a) "setpriv" was suid or (b) it had to be, please note that it's only BSD and derivatives that have this bug. The reason? Non-BSD systems don't _allow_ suid shell scripts. Seems a lot safer to me.... -- Brandon S. Allbery, moderator of comp.sources.misc {{harvard,mit-eddie}!necntc,well!hoptoad,sun!mandrill!hal}!ncoast!allbery ARPA: necntc!ncoast!allbery@harvard.harvard.edu Fido: 157/502 MCI: BALLBERY <<ncoast Public Access UNIX: +1 216 781 6201 24hrs. 300/1200/2400 baud>> "...he calls _that_ a `little adventure'?!" - Cmdr. Ryker
guy%gorodish@Sun.COM (Guy Harris) (10/11/87)
> ...please note that it's only BSD and derivatives that have this bug. The > reason? Non-BSD systems don't _allow_ suid shell scripts. No, I think Masscomp's system, which I think they claim to be a System V with BSD stuff added rather than a BSD system with System V stuff added (not that the distinction between the two has any significance other than a religious one), also supports "#!", and thus probably supports set-UID scripts. > Seems a lot safer to me.... Well, maybe, although removing that feature would be a bit of an airbag installation; nobody's forcing people at gunpoint to put set-UID shell scripts in, so it's quite possible to be safe (in this regard) on systems that permit set-UID shell scripts. Guy Harris {ihnp4, decvax, seismo, decwrl, ...}!sun!guy guy@sun.com
zap@draken.nada.kth.se (Svante Lindahl) (10/15/87)
>> ...please note that it's only BSD and derivatives that have this bug. The >> reason? Non-BSD systems don't _allow_ suid shell scripts. > >No, I think Masscomp's system, which I think they claim to be a System V ... > also supports "#!", and thus probably supports set-UID scripts. I know of one other company, that I wouln't name, that sells System V boxes that supports "#!". This is OK as far as I'm concerned (being a BSD-oriented person), but they also have scripts on their distribution tape that are setuid to root... It's been a while now, so maybe they have it fixed in their current release. This was a V.2.0-release or something such. Svante Lindahl zap@nada.kth.se