bush@prg.ox.ac.uk (Mark Bush) (06/11/91)
Should taintperl be allowed to read scripts from stdin? If so then suid scripts are a security hole! If I make a symbolic link called `-' to a suid script, cd to the directory containing said link, have `.' on my path, then I just execute `-'. With `bash' as my shell, the script appears to be run as `./-' so there is no problem. With csh, for example, the script gets run as `-'. The system sees the reference `#!/usr/bin/taintperl' or whatever at the start and a new process is created with argument list: /usr/bin/taintperl - Now taintperl sees `-' as an argument and tries to read a script from stdin. The user mearly has to type: exec '/bin/sh'; ^D to get a shell running with the perl script's privaleges! This is all on a Sun anything running any kind of SunOS. I imagine the same thing holds anywhere? Should taintperl, then, treat an argument of `-' as if it were `./-' or what? Mark
tchrist@convex.com (Tom Christiansen:) (06/17/91)
>Should taintperl be allowed to read scripts from stdin? If so then suid >scripts are a security hole! If I make a symbolic link called `-' to a suid >script, cd to the directory containing said link, have `.' on my path, then >I just execute `-'. With `bash' as my shell, the script appears to be run >as `./-' so there is no problem. With csh, for example, the script gets run >as `-'. The system sees the reference `#!/usr/bin/taintperl' or whatever at >the start and a new process is created with argument list: > >/usr/bin/taintperl - > >Now taintperl sees `-' as an argument and tries to read a script from >stdin. The user mearly has to type: > >exec '/bin/sh'; Can you actually use this to get a suid shell on your system? You don't call taintperl directly. Perl will call taintperl or suidperl appropriately for you. taintperl itself isn't suid, so this isn't going to be a problem. Notice how 'suidperl -' doesn't work. --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."