Xref: utzoo comp.unix.shell:922 comp.unix.ultrix:5359 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!swrinde!ucsd!ucbvax!ulysses!ulysses.att.com!cjc From: cjc@ulysses.att.com (Chris Calabrese) Newsgroups: comp.unix.shell,comp.unix.ultrix Subject: Re: how to setuid for shell scripts on ultrix? (really: SETUID STRIPTS ARE A SECURITY HOLE) Message-ID: <14026@ulysses.att.com> Date: 17 Nov 90 19:17:42 GMT References: <25009@adm.brl.mil> <1990Nov15.181448.23231@mdivax1.uucp> <6644@ethz.UUCP> Sender: netnews@ulysses.att.com Organization: AT&T Bell Laboratories, Murray Hill Lines: 41 In article <6644@ethz.UUCP> prl@iis.UUCP (Peter Lamb) writes: >HOWEVER, before you dash off and start making setuid shell scripts: > > SETUID SHELL SCRIPTS ARE INHERENTLY A SECURITY HOLE! > > You *CAN'T* make them hackerproof. > >The only exceptions I know to this are Larry Wall's perl interpreter >and Maarten Litmaat's setuid program (but make sure you get his >*second* release, not the first, to comp.sources.unix). > >Since bulletproof /bin/sh and /bin/csh programs are notoriously >difficult to write, even in the absence of the kernel problem, >my recommendation is perl. >Peter Lamb >uucp: uunet!mcsun!ethz!prl eunet: prl@iis.ethz.ch Tel: +411 256 5241 >Integrated Systems Laboratory >ETH-Zentrum, 8092 Zurich I thought I'd throw my $.02 into this discussion. Yes, it is possible to make them hackerproof. This requires 2 things. First, it requires the the script itself is secure (perl, etc help here). Second, it requires the elimination of the kernel problem. This has been fixed in versions done at bell labs (and subsequently used in the System V Release 4 kernel). The key is that the kernel must pass a file descriptor to the script, not merely the name of the script. This is done by using /dev/fd and passing the appropriate file name for the file descriptor. Under this scheme, since the file is never closed and a descriptor is effectively passed, any foolings with symlinks, naming, etc as has been suggested as the inherent security hole won't work. Of course, it's still difficult to do the right thing with IFS, etc. But at least this makes it _possible_ to write a 100% bullet proof setuid script. Name: Christopher J. Calabrese Brain loaned to: AT&T Bell Laboratories, Murray Hill, NJ att!ulysses!cjc cjc@ulysses.att.com Obligatory Quote: ``pher - gr. vb. to schlep. phospher - to schlep light.philosopher - to schlep thoughts.''