Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!cs.utexas.edu!asuvax!noao!ncar!gatech!usenet.ins.cwru.edu!eagle!bones!fsfrick From: fsfrick@bones.lerc.nasa.gov (David Fricker) Newsgroups: comp.unix.aix Subject: Re: bsh & ksh running setuid Message-ID: <1991Apr30.121532.5477@eagle.lerc.nasa.gov> Date: 30 Apr 91 12:15:32 GMT References: <1991Apr29.132514.8361@eagle.lerc.nasa.gov> <1991Apr29.200328.5668@ico.isc.com> Sender: news@eagle.lerc.nasa.gov Reply-To: fsfrick@bones.UUCP (David Fricker) Organization: NASA/Lewis Research Center, Cleveland Lines: 38 In article <1991Apr29.200328.5668@ico.isc.com> rcd@ico.isc.com (Dick Dunn) writes: >fsfrick@bones.lerc.nasa.gov (David Fricker) writes: >> FYI: under AIXv3.1 release 3003, bsh & ksh do NOT ignore the >> setuid bits when running a script... >... >> So, if you want scripts to run setuid and you have release 3003, you >> may want to save a copy of the bsh & ksh binaries. > >1. I'm not clear on how this is a property of the shells, rather than >the OS. Seems that the shell isn't going to be able to alter its own uid; >it needs kernel help at exec() time. > The kernel supports #!/bin/xxsh, and it calls the requested interpreter. When '/bin/csh' finds itself setuid, it dies or ignores the suid bit. When '/bin/bsh' or '/bin/ksh' finds itself setuid, it DOS NOT die or ignore the suid bit. The key is that the shell _IS_ executing setuid scripts and changing ids. The bourne shell executes the script schizoid--effective & real userids are NOT the same during the execution of the script's commands. 'csh', however, refuses to run in this fashion (as the documentation says). Dick Dunn also wrote: >2. For those who haven't run into this before: Note that setuid shell >scripts are a security sieve. >-- True. However, our site still has some setuid shell scripts that are 'standard'. The vulnerability is recognized. -- ----------------------------------------------------------------------------- David Fricker | phone: 216-433-5960 NASA Lewis Research Center | M.S. 5-11 Cleveland, Ohio 44135 | email: fsfrick@bones.lerc.nasa.gov