Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!cs.utexas.edu!uunet!auspex!guy From: guy@auspex.auspex.com (Guy Harris) Newsgroups: comp.unix.internals Subject: Re: how to setuid for shell scripts? Message-ID: <4432@auspex.auspex.com> Date: 18 Nov 90 02:53:28 GMT References: <25009@adm.brl.mil> <633@vtserf.cc.vt.edu> Organization: Auspex Systems, Santa Clara Lines: 48 >The security leaks are ENORMOUS - it takes *ANY* user a whole >whopping 3 or 4 commands to get a full-function interactive shell >running under the UID the shell is set-UID to. > >I won't give full details, other than to say - how does csh know >to run .login for a login shell, but not a subshell? Now think >about .login for a while...... > >(Hint - the shell checks argv[0] for a '-')... Yes, but on 4.3BSD and any system that does 4.3BSD-style argument handling with "#!" (SunOS 3.2 and later, S5R4, probably lots of other systems), the name of the script does *NOT* get passed to the shell as "argv[0]", so that *particular* hole isn't there on those systems. Dunno if it's fixed in the particular version of Ultrix the original poster is using, though; unless they know it is, they should assume it isn't.... There are plenty of other holes. To close one of them, make sure that the "#!" line looks like: "#! /bin/sh -" Bourne shell (also Korn and probably Bourne-again shells, with appropriate change of interpreter path name) "#! /bin/csh -b" 4.3BSD and later C shell (and probably C-shell derivatives), assuming you've written the script in C shell for some reason To close others, make sure you set PATH (or "path", in C shell scripts - assuming you really *like* writing C shell scripts) before running any commands, and in Bourne/Korn/Bourne-again shell scripts, set IFS before setting anything else. There are probably other things you need to watch out for as well. The shells are all big enough programs interpreting big-enough languages that there are probably other ways of breaking in to incautiously-written scripts. On top of that, there's a hole with "#!" that's present in almost all systems - I think it's fixed in S5R4 and think it'll be fixed in 4.4BSD - that you *can't* plug except by doing fixes of the sort done in those systems. There are alternatives to "#!"; Maarten Litmath has a program whose name I've forgotten that you can use (he says, in an attempt to prompt Maarten to follow up :-)).