Re: setuid scripts in SunOS 4.1.x

Fred Blonder (fred@nasirc.hq.nasa.gov)
Wed, 28 Sep 1994 10:55:52 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Previous message: Valdis.Kletnieks@vt.edu: "Re: setuid scripts in SunOS 4.1.x"
In reply to: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"

	From: John Hawkinson <jhawk@panix.com>

	When we say FIXING THE KERNEL, we MEAN DISABLING SETUID SCRIPTS.

	If you have some other reasonable mechanism, I'd be interested
	in hearing it...

Well, just to keep thrashing this one around, imagine the following
implementation: Set-uid script 'foo' calls interpreter 'bar':

    -rws--x--x  1 user           33 Sep 28 10:33 foo

    foo:
	#! /bin/bar
		.
		.
		.

A user invokes 'foo', the kernel sees the magic token '#!', converts
the inode for file 'foo' to a file descriptor (say for the purpose of
this example: fd 3) and adds it to the set of open file descriptors
(assuming the standard 0, 1 and 2 are already open), then execs
'/bin/bar' with an argument of '/dev/fd/3'.  The evil cracker can shift
symbolic links around to his heart's content, but can't prevent the
'/bin/bar' process from opening the correct script since it's already
been passed as an open file descriptor, hence no race condition.  This
approach requires no changes to existing interpreters.

I suggest we move this discussion to a different forum, as it's now
pretty far beyond the declared scope of bugtraq.
-----
Fred Blonder		fred@nasirc.hq.nasa.gov

Hughes STX Corp.	(301) 441-4079
7701 Greenbelt Rd.
Greenbelt, Md.  20770

Next message: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Previous message: Valdis.Kletnieks@vt.edu: "Re: setuid scripts in SunOS 4.1.x"
In reply to: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: John Hawkinson: "Re: setuid scripts in SunOS 4.1.x"