Path: utzoo!yunexus!geac!syntron!jtsv16!uunet!seismo!sundc!pitstop!sun!decwrl!purdue!bu-cs!mirror!ima!cfisun!lakart!dg
From: dg@lakart.UUCP (David Goodenough)
Newsgroups: comp.unix.wizards
Subject: Re: Secure setuid shell scripts
Message-ID: <307@lakart.UUCP>
Date: 24 Oct 88 16:54:04 GMT
Article-I.D.: lakart.307
References: <14069@mimsy.UUCP>
Organization: Lakart Corporation, Newton, MA
Lines: 39

From article <14069@mimsy.UUCP>, by chris@mimsy.UUCP (Chris Torek):
> In article <4409@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) asks:
>>If a 4.3BSD system has not been patched to disallow set-user-id shell
>>scripts, but root uses no set-user-id scripts, does a security hole
>>still exist that will allow an unprivileged user to obtain root
>>privileges?
> 
> If I can modify that to `... but there are no set-user-id scripts that
> set the user ID to root', the answer is no (discounting other avenues,
> e.g., the `::0:0:::' entries sometimes found in /etc/passwd).  If the
> system has not been patched, and there is a set-ID script somewhere,
> that script can be used as the basis for gaining the privileges granted
> by that ID (user or group) in a way that the author of the script most
> likely did not intend.

One question. What does an

execl("/bin/sh", "/bin/sh", "-", "-i", 0);

do. I.e. what happens when the first line is:

#! /bin/sh -

rather than plain old:

#! /bin/sh

This closes up the security hole very nicely here (unless there's some
sneaky way of getting in that I didn't know about). Incidentally, lakart
is BSD4.3, so we DO have symbolic links: it was suggested that if no
symbolic links existed, then by denying write permission to general users
on all filesystems where suid 0 reside the problem could be reduced. (I'm
not going to say solved, nothing in this world is certain except death
and taxes :-) :-) )

As an aside on the IFS problem: the following is taken from man 1 sh:

          IFS  Internal field separators, normally space, tab,
               and newline.  IFS is ignored if sh is running as
               root or if the effective user id differs from the
               real user id.

i.e. with our shell setting IFS to "/" (or anything) won't help a whole
lot
-- 
	dg@lakart.UUCP - David Goodenough		+---+
							| +-+-+
	....... !harvard!xait!lakart!dg			+-+-+ |
AKA:	dg%lakart.uucp@harvard.harvard.edu	  	  +---+