Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!usc!jarthur!uunet!mcsun!hp4nl!star.cs.vu.nl!maart From: maart@cs.vu.nl (Maarten Litmaath) Newsgroups: comp.unix.internals Subject: Re: how to setuid for shell scripts? Message-ID: <8292@star.cs.vu.nl> Date: 19 Nov 90 19:53:12 GMT References: <25009@adm.brl.mil> <633@vtserf.cc.vt.edu> <4432@auspex.auspex.com> Sender: news@cs.vu.nl Reply-To: maart@cs.vu.nl (Maarten Litmaath) Organization: VU Dept. of Computer Science, Amsterdam, The Netherlands Lines: 76 In article <4432@auspex.auspex.com>, guy@auspex.auspex.com (Guy Harris) writes: )... )On top of that, there's a hole with "#!" that's present in almost all )systems - I think it's fixed in S5R4 and think it'll be fixed in 4.4BSD )- that you *can't* plug except by doing fixes of the sort done in those )systems. ) )There are alternatives to "#!"; Maarten Litmath has a program whose name )I've forgotten that you can use (he says, in an attempt to prompt )Maarten to follow up :-)). OK! :-) The program is called `indir', because a script starting with `#!/path/of/indir' is interpreted INDIRectly. (Does anyone remember V7's indir(2) system call?) Note: `indir' is a generalized version of the `setuid' program; the former can handle non-setuid scripts as well, e.g. scripts which are hindered by the limited length of a `#!' line. Example: #!/usr/local/bin/indir -u #?/bin/sh /safe/path/to/the/setuid/script lots of options shell commands Right. Tom Christiansen already explained the race condition hole. Now how about S5R4 and 4.4BSD? I've been informed that both operating systems are to launch setuid scripts through the /dev/fd driver. For example, assume the file `/bin/foo' is a setuid root shell script, then the kernel handles a system call execl("/bin/foo", "foo", "args", (char *) 0) like this: fd = open("/bin/foo", 0); fstat(fd, &statbuf); if (statbuf.st_mode & S_ISUID) seteuid(statbuf.st_uid); sprintf(buf, "/dev/fd/%d", fd); execl("/bin/sh", "sh", "-", buf, "args", (char *) 0); Now we're sure the right file gets executed with the right permissions. However, there appear to be 2 problems with this approach: 1) `ps' will show something like this - PID TT STAT TIME COMMAND 5393 p1 R 0:00 sh - /dev/fd/3 - not very informative... 2) the following construct wouldn't work for setuid sh scripts - case $0 in foo) # the `foo' link was executed foo_stuff ;; bar) # the `bar' link was executed bar_stuff ;; *) echo "Unknown service requested. Abort." >&2 exit 1 esac - not so nice... Am I right, Chris? -- nreadwin@micrognosis.co.uk (Neil Readwin) on "snuff" films: "Seen one ? I was *in* one. They tortured me horribly and then killed me with a single shot in the back of the head ! Following total brain death I gave up acting and became a VMS hacker."