Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!gem.mps.ohio-state.edu!tut.cis.ohio-state.edu!bloom-beacon!eru!luth!sunic!mcsun!hp4nl!star.cs.vu.nl!maart From: maart@cs.vu.nl (Maarten Litmaath) Newsgroups: comp.unix.questions Subject: Re: setuid shell scripts (was: Re: Running processes as root) Message-ID: <3806@solo7.cs.vu.nl> Date: 25 Oct 89 08:55:05 GMT References: <21240@adm.BRL.MIL> <20329@mimsy.umd.edu> <3789@solo6.cs.vu.nl> <20367@mimsy.umd.edu> <3803@solo7.cs.vu.nl> <4917@tekcrl.LABS.TEK.COM> Organization: V.U. Informatica, Amsterdam, the Netherlands Lines: 44 terryl@tekcrl.LABS.TEK.COM writes: \In article <3803@solo7.cs.vu.nl> maart@cs.vu.nl (Maarten Litmaath) writes: \+chris@mimsy.umd.edu (Chris Torek) writes: \+\In article <20329@mimsy.umd.edu> (look, domain names now!) I wrote: \+\>\On all of the BSD derivatives on which setuid scripts run setuid, \+\>\all such setuid scripts are not secure. \+\ \+\In article <3789@solo6.cs.vu.nl> maart@cs.vu.nl (Maarten Litmaath) writes: \+\>It almost never happens, but this time you seem to be wrong, Chris! \+\ \+\Not really, because I meant `if you write /etc/foo, make it setuid, start \+\it with ``#! /bin/csh -bf'', and run it, and it runs setuid, then it is \+\not secure.' \+ \+I'm sure this was what you meant, but it wasn't what you said! (Check again.) \+Allright, you have already posted an article explaining the race condition, \+but here's another story anyway, which explains how indir(1) can get things \+right. Enjoy. \ \ Not to pick nits, but Chris was *right* *both* times. As you have quoted \him above, he said "On all of the BSD derivatives on which setuid scripts run \setuid, all such setuid scripts are not secure."; implicit in this sentence \is the fact that the only way to get a setuid script to run setuid, one must \use the #! mechanism. So while Chris did not spell this out explicitly in his \first posting, he did in his second. But he was still right the first time... Yeah, one must use the #! mechanism; SO WHAT!? I never denied that! And I showed how safe setuid scripts (NOTE: Chris didn't even say *shell* scripts) could be created. You want an example? Right, put the following in a file /etc/fubar: #!/bin/sh /etc/fubar echo "Am I right or am I right?" You're a pretty smart fellow if you can break this one (or you're root). \PS: \ Is it time to post another way to breach security with a setuid shell \script that does NOT depend on the race condition with "unlink"???? Yeah, go right ahead. -- A symbolic link is a POINTER to a file, | Maarten Litmaath @ VU Amsterdam: a hard link is the file system's GOTO. | maart@cs.vu.nl, mcsun!botter!maart