Re: setuid scripts in SunOS 4.1.x

Karl Strickland (karl@bagpuss.demon.co.uk)
Sat, 24 Sep 1994 15:40:33 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: *Hobbit*: "Re: setuid scripts in SunOS 4.1.x"
Previous message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
In reply to: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: Fred Blonder: "Re: setuid scripts in SunOS 4.1.x"

> 
> > > The best solution is to make sure you don't have suid shell scripts
> > > Cops does a fine job in finding them for you so does:
> > > 
> > > find /   \( -type d -fstype nfs -prune \) -o -type f \( -perm -4001 -o -perm
> > >  -4010 -o -perm -4100 -o -perm -2100 -o -perm -2010 -o -perm -2001 \)
> > > 
> > > If I remeber correctly SunOS 4.1.x is just one of those UNIX systems that
> > > allows suid shell scripts. I don't think this will be 'fixed'.
> > > But you can always try to mail security-alert@Sun.COM.
> > > 
> > > 
> > Of course you can always mount your filesystems `nosuid'.
> 
> The "correct" thing to do is to patch kern_exec.c (kern_exec.o).
> This is nontrivial if you don't have source. It's trivial
> if you do (I don't). No one has done this publically as of yet.
> 
> Thinking about it, I wonder if the BSD kern_exec is "good enough".
> If so, perhaps it could be substituted. Anyone? (Casper?)

Its not trivial, I think there are a lot of subtle differences.  I understand
SunOS 4.1.x's kern_exec.o is based on the BSD 4.3 version (@(#)kern_exec.c
7.1 (Berkeley) 6/5/86) but a lot must have changed for SunOS.  Eg:

	1. BSD 4.3 uses inodes for pathname lookups/file access;
	   SunOS uses vnodes.  Their corresponding different operations
	   (eg rdwri() & vn_rdwr()) have different interfaces.
	   [Maybe one of the later 4.3BSD's (reno?) which incorporate
	   vnodes might be easier to start from..]

	2. BSD 4.3 pathname lookups use namei(), SunOS uses pn_get() &
	   lookuppn().

	3. BSD 4.3 has no concept of 'nosuid' mounted filesystems.

	4. On SunOS, the exdata struct is part of the user struct, on
	   BSD 4.3 its just local to execve(), and - just to make it more
	   fun :) - all the corresponding field names are different.

	5. SunOS execve() must have support for other SunOS specific bits
	   that BSD 4.3 doesnt have, like support for trace(1), asynch io &
	   fcntl(2) style record locks.

	etc etc etc.

In short I dont think it could be attempted without access to SunOS source -
and obviously the people with access have no reason to attempt it!

Maybe if enough people scream Sun will put out a patched kern_exec.o, or
at least allow someone else to do it.

------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl@bagpuss.demon.co.uk
                                          |

Next message: *Hobbit*: "Re: setuid scripts in SunOS 4.1.x"
Previous message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
In reply to: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: Fred Blonder: "Re: setuid scripts in SunOS 4.1.x"