will%robots.oxford.ac.uk@nss.cs.ucl.ac.uk (Will Dickson) (04/25/89)
I recently posted an article as a query about the security of suid shell scripts. I made the mistake of giving too much detail to illustrate what I knew and didn't know, and I would like to apologise to those people whose installations' security may have suffered as a consequence. First, I should summarise. The answer (as noted by Guy Harris and Mikel Lechner in v7n218) is that there is no secure interpreter, as there is a problem in the kernel rather than in the interpreters themselves which can be exploited (< 20 lines of plain C, with standard UNIX calls) to break any suid script. There are a few problems with my posting, one of which hasn't been mentioned (but hinted at by Henry Spencer in v7n218): csh should be invoked with "-fb" rather than just "-b". If you want to run shell commands in a suid mode, what you need is a suid program which execs the script. I have heard that source for a such program is available from comp.sources.unix (or similar) but I couldn't check it out; the source I could pick up was disastrous. I'd like to pontificate briefly. It is (as I found) a bad idea to post details of security problems, however well known, to unrestricted newsgroups. Some sysadmins either don't get to know about them, or choose to ignore them in the hope that nobody else (like RTM Jr.) will find out about them. I don't think the latter attitude is really excusable. I would like to repeat my apologies to those who don't get to know. Will Dickson. snail: Robotics Research Group, Dept. of Engineering Science, Oxford University, Oxford OX1 3PJ, United Kingdom. email: will%uk.ac.oxford.robots@uk.ac.ucl.cs.nss JANET: will@uk.ac.oxford.robots All opinions are my own etc... (looks like I need this kind of thing). [[ I still believe that security through obscurity is no security at all. If information about the existence of security holes and methods for plugging them does not get circulated, how are system adminstrators going to find out about them? Wait for Sun to fix them? Seems risky to me. I know that this is a hotly debated topic in many circles and I don't wish to start an irresolvable argument in this forum. I hope that no serious damage was done by posting that information. --wnl ]]
maart@uunet.uu.net (Maarten Litmaath) (05/06/89)
will%robots.oxford.ac.uk@nss.cs.ucl.ac.uk (Will Dickson) writes:
\... there is no secure interpreter, as there is a
\problem in the kernel rather than in the interpreters themselves which can
\be exploited (< 20 lines of plain C, with standard UNIX calls) to break
\any suid script.
^^^
Simply not true. Use setuid(1) and you're out of trouble. The source and
manual can be acquired from the comp.sources.misc archives or by emailing
me.
\There are a few problems with my posting, one of which
\hasn't been mentioned (but hinted at by Henry Spencer in v7n218): csh
^^^^^^
He could have been specific, for the essential problem has been revealed
about nine months ago in comp.unix.wizards (yes, by me). I've got a
detailed description on-line.
"If it isn't aesthetically pleasing, |Maarten Litmaath @ VU Amsterdam:
it's probably wrong." (jim@bilpin). |maart@cs.vu.nl, mcvax!botter!maart