will%robots.oxford.ac.uk@nss.cs.ucl.ac.uk (Will Dickson) (04/25/89)
I recently posted an article as a query about the security of suid shell
scripts. I made the mistake of giving too much detail to illustrate what
I knew and didn't know, and I would like to apologise to those people
whose installations' security may have suffered as a consequence.
First, I should summarise. The answer (as noted by Guy Harris and Mikel
Lechner in v7n218) is that there is no secure interpreter, as there is a
problem in the kernel rather than in the interpreters themselves which can
be exploited (< 20 lines of plain C, with standard UNIX calls) to break
any suid script. There are a few problems with my posting, one of which
hasn't been mentioned (but hinted at by Henry Spencer in v7n218): csh
should be invoked with "-fb" rather than just "-b".
If you want to run shell commands in a suid mode, what you need is a suid
program which execs the script. I have heard that source for a such
program is available from comp.sources.unix (or similar) but I couldn't
check it out; the source I could pick up was disastrous.
I'd like to pontificate briefly. It is (as I found) a bad idea to post
details of security problems, however well known, to unrestricted
newsgroups. Some sysadmins either don't get to know about them, or choose
to ignore them in the hope that nobody else (like RTM Jr.) will find out
about them. I don't think the latter attitude is really excusable. I
would like to repeat my apologies to those who don't get to know.
Will Dickson.
snail: Robotics Research Group, Dept. of Engineering Science,
Oxford University, Oxford OX1 3PJ, United Kingdom.
email: will%uk.ac.oxford.robots@uk.ac.ucl.cs.nss
JANET: will@uk.ac.oxford.robots
All opinions are my own etc... (looks like I need this kind of thing).
[[ I still believe that security through obscurity is no security at all.
If information about the existence of security holes and methods for
plugging them does not get circulated, how are system adminstrators going
to find out about them? Wait for Sun to fix them? Seems risky to me. I
know that this is a hotly debated topic in many circles and I don't wish
to start an irresolvable argument in this forum. I hope that no serious
damage was done by posting that information. --wnl ]]maart@uunet.uu.net (Maarten Litmaath) (05/06/89)
will%robots.oxford.ac.uk@nss.cs.ucl.ac.uk (Will Dickson) writes:
\... there is no secure interpreter, as there is a
\problem in the kernel rather than in the interpreters themselves which can
\be exploited (< 20 lines of plain C, with standard UNIX calls) to break
\any suid script.
^^^
Simply not true. Use setuid(1) and you're out of trouble. The source and
manual can be acquired from the comp.sources.misc archives or by emailing
me.
\There are a few problems with my posting, one of which
\hasn't been mentioned (but hinted at by Henry Spencer in v7n218): csh
^^^^^^
He could have been specific, for the essential problem has been revealed
about nine months ago in comp.unix.wizards (yes, by me). I've got a
detailed description on-line.
"If it isn't aesthetically pleasing, |Maarten Litmaath @ VU Amsterdam:
it's probably wrong." (jim@bilpin). |maart@cs.vu.nl, mcvax!botter!maart