Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ames!nrl-cmf!mailrus!cornell!uw-beaver!tektronix!tekcrl!terryl From: terryl@tekcrl.CRL.TEK.COM Newsgroups: comp.unix.wizards Subject: Re: Secure setuid shell scripts Message-ID: <3194@tekcrl.CRL.TEK.COM> Date: 21 Oct 88 17:23:25 GMT References: <14066@iuvax.cs.indiana.edu> <4409@bsu-cs.UUCP> Reply-To: terryl@tekcrl.CRL.TEK.COM Organization: Tektronix, Inc., Beaverton, OR. Lines: 28 In article <4409@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) writes: >If a 4.3BSD system has not been patched to disallow set-user-id shell >scripts, but root uses no set-user-id scripts, does a security hole >still exist that will allow an unprivileged user to obtain root >privileges? Yes. The problem is not that root uses a set-user-id shell script, but that there exists anywhere in the file system a set-user-id shell script THAT I CAN EXECUTE AS A MERE MORTAL(i.e. normal user). If such a set-user-id shell script does exist, then in a manner of minutes (depending on how fast I can type!!! (-:) I can become the id of that shell script!!!! No matter the id, if I can execute it, I can be that id, without knowing the password or any other such trickery. If it's a set-user-id shell script to root, you know the old saying "Well, bend over backwards and kiss your ..... goodbye!!! As has been alluded to MANY times in the past, the problem is NOT in the semantics of the shell language (i.e. sh, csh, ksh), but in the semantics of the file system itself. Think about it for a while. I know when this first hit I said, "Boy, sure sounds like a lot of paranoia to me". But, after thinking about it for a week or so, the little light (literally!!) when on inside my head, and then I said, "Yuck!!! That's not mere paranoia, that's a genuine security hole that's not easily fixed" (short of disallowing set-user-id shell scripts). Just as a little more information, I do need a directory that I can write to, but it doesn't have to be anywhere special. Since /tmp (and usually /usr/tmp) is writable by everyone in the world, this will suit my needs just fine.