Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!rutgers!mcnc!ece-csc!ncrcae!ncr-sd!hp-sdd!hplabs!ucbvax!bostic
From: bostic@ucbvax.BERKELEY.EDU (Keith Bostic)
Newsgroups: comp.unix.wizards
Subject: Re: suid schell scripts - security hole
Message-ID: <21343@ucbvax.BERKELEY.EDU>
Date: Mon, 19-Oct-87 10:59:21 EDT
Article-I.D.: ucbvax.21343
Posted: Mon Oct 19 10:59:21 1987
Date-Received: Tue, 20-Oct-87 06:49:35 EDT
References: <9839@brl-adm.ARPA>
Organization: University of California at Berkeley
Lines: 30
Summary: yes they are a security, let's stop this discussion

In article <9839@brl-adm.ARPA>, H_Eidnes%vax.runit.unit.uninett@TOR.NTA.NO (H}vard Eidnes) writes:
> As quoted from <7525@steinmetz.steinmetz.UUCP> by stpeters@dawn.steinmetz:
> +---------------
> | There is an *enormous* hole that is totally independent of the script
> | contents.  Show me a suid script, and I can be running as uid 0 in 10
> | seconds.  (BSD and derivatives at least, but I believe others as well.)
> +---------------
> 
> Would some kind soul please enlighten me as to the size of this hole?
> More specifically, what does the hole "consist of"? Ie. what would you
> do in your 10 seconds? What part of the kernel is responsible for this
> hole?

I believe there to be security problems associated with setuid shell scripts
in every version of UNIX that provides them.  If you want a secure system,
do not allow users to have setuid shell scripts.  As far as I know, all of
these problems allow the breaker the uid of the shell script -- the above
claim that any setuid shell script results in root privileges is new to me.
Now, can this discussion go away?

> I personally think such security holes should be well-known so that
> system administrators can be aware of them, and take appropriate
> precautions (in this case: don't install suid shell scripts). I know a
> lot of people think otherwise, but please don't start this discussion.

The rules should be that you document the existence of the hole, and you
document any fixes that are applicable.  Just *never* post how to use the
hole.  (And you try to disguise the fix.)

--keith