Re: SUID shell scripts, questions?

Carson Gaspar (carson@lehman.com)
Sat, 11 Feb 1995 18:38:00 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Robert M. Haas: "Re: Solaris 2.3 ndd bug"
Previous message: Dow Summers: "Solaris 2.3-2.4 Audit Bug"
In reply to: Greg Woods: "Re: SUID shell scripts, questions?"
Next in thread: Fred Blonder: "Re: SUID shell scripts, questions?"

On Fri, 10 Feb 1995, Greg Woods wrote:

> Or you can just create a symlink to a setuid script called "-i". Guess
> what happens when the system executes "sh -i"? Don't even need the
> race condition. And even without this, you could always overwrite the
> SAME file with something new, so the fd doesn't change.

Attack #1 (symlink -i) fails under solaris.  The shell is invoked as:
/bin/sh /dev/fd/xxx

Attack #2 is only possible if you're dumb enough to leave a setuid 
program world-writeable.

--
Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com
<This is the boring business .sig - no outre sayings here>

Next message: Robert M. Haas: "Re: Solaris 2.3 ndd bug"
Previous message: Dow Summers: "Solaris 2.3-2.4 Audit Bug"
In reply to: Greg Woods: "Re: SUID shell scripts, questions?"
Next in thread: Fred Blonder: "Re: SUID shell scripts, questions?"