fsfrick@bones.lerc.nasa.gov (David Fricker) (04/29/91)
FYI: under AIXv3.1 release 3003, bsh & ksh do NOT ignore the setuid bits when running a script. The documentation (InfoExplorer) says that bsh, ksh, & csh all ignore the setuid bits when they run a script. I called IBM Software Defect Support about this and they confirmed that this is a bug. They also said that it is fixed under release 3005. So, if you want scripts to run setuid and you have release 3003, you may want to save a copy of the bsh & ksh binaries. -- ----------------------------------------------------------------------------- David Fricker | phone: 216-433-5960 NASA Lewis Research Center | M.S. 5-11 Cleveland, Ohio 44135 | email: fsfrick@bones.lerc.nasa.gov
rcd@ico.isc.com (Dick Dunn) (04/30/91)
fsfrick@bones.lerc.nasa.gov (David Fricker) writes: > FYI: under AIXv3.1 release 3003, bsh & ksh do NOT ignore the > setuid bits when running a script... ... > So, if you want scripts to run setuid and you have release 3003, you > may want to save a copy of the bsh & ksh binaries. 1. I'm not clear on how this is a property of the shells, rather than the OS. Seems that the shell isn't going to be able to alter its own uid; it needs kernel help at exec() time. 2. For those who haven't run into this before: Note that setuid shell scripts are a security sieve. -- Dick Dunn rcd@ico.isc.com -or- ico!rcd Boulder, CO (303)449-2870 ...If you plant ice, you're gonna harvest wind.
rearl@gnu.ai.mit.edu (Robert Earl) (04/30/91)
In article <1991Apr29.200328.5668@ico.isc.com> rcd@ico.isc.com (Dick Dunn) writes: | fsfrick@bones.lerc.nasa.gov (David Fricker) writes: | > FYI: under AIXv3.1 release 3003, bsh & ksh do NOT ignore the | > setuid bits when running a script... | ... | > So, if you want scripts to run setuid and you have release 3003, you | > may want to save a copy of the bsh & ksh binaries. | | 1. I'm not clear on how this is a property of the shells, rather than | the OS. Seems that the shell isn't going to be able to alter its own uid; | it needs kernel help at exec() time. I talked to the original poster because I was unclear as well; we determined this: The shell finds out if it's running setuid, and if so, refuses to continue interpreting the script. A noble idea, I suppose, but it's 1) Too Late and 2) not the shell's place to decide! | 2. For those who haven't run into this before: Note that setuid shell | scripts are a security sieve. Indeed. What's going to stop trusting_sysadmin from writing a faulty awk or bash script? Please note that I'm not advocating or questioning disabling setuid scripts from within the kernel, I'm only saying that putting this responsibility in the shell is asking for trouble. --robert
fsfrick@bones.lerc.nasa.gov (David Fricker) (04/30/91)
In article <1991Apr29.200328.5668@ico.isc.com> rcd@ico.isc.com (Dick Dunn) writes: >fsfrick@bones.lerc.nasa.gov (David Fricker) writes: >> FYI: under AIXv3.1 release 3003, bsh & ksh do NOT ignore the >> setuid bits when running a script... >... >> So, if you want scripts to run setuid and you have release 3003, you >> may want to save a copy of the bsh & ksh binaries. > >1. I'm not clear on how this is a property of the shells, rather than >the OS. Seems that the shell isn't going to be able to alter its own uid; >it needs kernel help at exec() time. > The kernel supports #!/bin/xxsh, and it calls the requested interpreter. When '/bin/csh' finds itself setuid, it dies or ignores the suid bit. When '/bin/bsh' or '/bin/ksh' finds itself setuid, it DOS NOT die or ignore the suid bit. The key is that the shell _IS_ executing setuid scripts and changing ids. The bourne shell executes the script schizoid--effective & real userids are NOT the same during the execution of the script's commands. 'csh', however, refuses to run in this fashion (as the documentation says). Dick Dunn also wrote: >2. For those who haven't run into this before: Note that setuid shell >scripts are a security sieve. >-- True. However, our site still has some setuid shell scripts that are 'standard'. The vulnerability is recognized. -- ----------------------------------------------------------------------------- David Fricker | phone: 216-433-5960 NASA Lewis Research Center | M.S. 5-11 Cleveland, Ohio 44135 | email: fsfrick@bones.lerc.nasa.gov