will%robots.oxford.ac.uk@nss.cs.ucl.ac.uk (Will Dickson) (03/11/89)
I know of three common modes of attack on set-uid shell scripts, all of which I have failed to apply successfully to reasonably written shell scripts under /bin/csh, but are successful against scripts with /bin/sh (though these can be protected from the first two): 1: Set a path which includes trojan horses; this is defeated by setting an explicit path or specifying full paths to the command names. 2: Set the environment variable IFS (/bin/sh only) to include the character '/'; IFS is ignored by csh, and can be defeated by resetting IFS at the start of sh scripts. Note that setting an explicit path without setting IFS does *not* help. 3: Make a symbolic link to the script from a file called "-s"; I KNOW OF NO WAY TO CIRCUMVENT THIS WITH /bin/sh SCRIPTS; /bin/csh will only run set-uid if it has the "-b" option in its arguments, and so cannot be broken in this way. The question is, are there any other ways in which shell scripts can be broken, and which shells do they apply to? This issue has probably been covered in other newsgroups, but us unfortunate brits don't get all of these right now. Will Dickson (will%uk.ac.oxford.robots@uk.ac.ucl.cs.nss) Robotics Research Group, Department of Engineering Science, Oxford University, 19 Parks Road, Oxford, England.