Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!adm!H_Eidnes%vax.runit.unit.uninett@TOR.NTA.NO From: H_Eidnes%vax.runit.unit.uninett@TOR.NTA.NO (H}vard Eidnes) Newsgroups: comp.unix.wizards Subject: suid schell scripts - security hole Message-ID: <9839@brl-adm.ARPA> Date: Sun, 18-Oct-87 07:18:37 EDT Article-I.D.: brl-adm.9839 Posted: Sun Oct 18 07:18:37 1987 Date-Received: Sun, 18-Oct-87 23:39:32 EDT Sender: news@brl-adm.ARPA Lines: 30 As quoted from <7525@steinmetz.steinmetz.UUCP> by stpeters@dawn.steinmetz: +--------------- | There is an *enormous* hole that is totally independent of the script | contents. Show me a suid script, and I can be running as uid 0 in 10 | seconds. (BSD and derivatives at least, but I believe others as well.) +--------------- Would some kind soul please enlighten me as to the size of this hole? More specifically, what does the hole "consist of"? Ie. what would you do in your 10 seconds? What part of the kernel is responsible for this hole? I personally don't want to use this information to break in, but to be aware of the size of the hole, be able to try it out on the system(s) I administrate (to verify that the hole is there also), and (depending on the outcome of the previous step) stop having suid shell scripts lying around. Of course you have no way of verifying this. I personally think such security holes should be well-known so that system administrators can be aware of them, and take appropriate precautions (in this case: don't install suid shell scripts). I know a lot of people think otherwise, but please don't start this discussion. On a similar point: is there a similar security hole connected with setgid shell scripts (on BSD systems)? ------- E-Mail: (or @nta-vax.arpa) H}vard Eidnes (or TeXish: H\aa vard Eidnes) Division of Computer Science, Norwegian Institute of Technology