Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!olivea!orc!inews!iwarp.intel.com!news From: merlyn@iwarp.intel.com (Randal Schwartz) Newsgroups: comp.lang.perl Subject: Re: Trouble with setuid Message-ID: <1990Aug27.223453.2372@iwarp.intel.com> Date: 27 Aug 90 22:34:53 GMT References: <^-i2f2.-42@smurf.sub.org> <1990Aug27.181341.425@iwarp.intel.com> <15805@bfmny0.BFM.COM> Sender: news@iwarp.intel.com Reply-To: merlyn@iwarp.intel.com (Randal Schwartz) Organization: Stonehenge; netaccess via Intel, Beaverton, Oregon, USA Lines: 37 In-Reply-To: tneff@bfmny0.BFM.COM (Tom Neff) In article <15805@bfmny0.BFM.COM>, tneff@bfmny0 (Tom Neff) writes: | In article <1990Aug27.181341.425@iwarp.intel.com> merlyn@iwarp.intel.com (Randal Schwartz) writes: | >Good for it. It's working properly. Suid scripts are a dangerous | >security hole. Don't use'em. If you haven't disabled setuid scripts | >on your system, do that. Then, put a little C program wrapper around | >your script with the following program ... | | Could someone explain to my dimwitted satisfaction how the security | weakness of setuid scripts is corrected by simply exec'ing the scripts | from a setuid wrapper?? To do so would reveal the whole hole, but hey, what the heck, I heard about it in comp.unix.wizards anyway, so here goes... Theres a small but non-zero window of time between when the system code handling execve() notices the setuid bits and when the file is opened by the shell selected from the #! magic number. During that window, renaming the file (or a link to it... there's a hint) can cause one pile-o-text to be subbed for the other pile-o-text. The first is the "real" script, and the second is your arbitrary program. The net effect is that your abitrary program is executed with the privileges of the "real" script. How big is the window? Big enough to get at from a *shell* program invoking "rm" and "mv" and "ln" (I know, I wrote one)! Sheesh. The wrapper helps because the file executed by the wrapper is explictly named, and short of being able to move *that* file around, you're pretty safe. Just another security weenie and Perl hacker, -- /=Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 ==========\ | on contract to Intel's iWarp project, Beaverton, Oregon, USA, Sol III | | merlyn@iwarp.intel.com ...!any-MX-mailer-like-uunet!iwarp.intel.com!merlyn | \=Cute Quote: "Welcome to Portland, Oregon, home of the California Raisins!"=/