Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request From: mcvax!camcon.co.uk!igp@uunet.uu.net (Ian Phillipps) Newsgroups: comp.sys.sun Subject: Re: Are suid shell scripts using /bin/csh secure Keywords: Software Message-ID: <2776@titan.camcon.co.uk> Date: 26 Apr 89 07:58:11 GMT References: <8903131921.AA10854@uunet.UU.NET> Sender: usenet@rice.edu Organization: Cambridge Consultants Ltd., Cambridge, UK Lines: 34 Approved: Sun-Spots@rice.edu Original-Date: 11 Apr 89 13:44:13 GMT X-Sun-Spots-Digest: Volume 7, Issue 255, message 1 of 16 attcan!utzoo!henry@uunet.uu.net writes: >>I know of three common modes of attack on set-uid shell scripts, all of >>which I have failed to apply successfully to reasonably written shell >>scripts under /bin/csh... >>The question is, are there any other ways in which shell scripts can be >>broken, and which shells do they apply to? >The real question is, are you confident that there *aren't* any others? >(If you want another one to check out... Can csh be tricked, by invoking >it with suitable arguments, into running the equivalent of a .profile >before running the script?) No trickery needed! It's the default! Verified with csh on Sunos 4.0 and a .cshrc file containing "whoami". The script starts with "#!/bin/csh -b" : putting -fb plugs this hole. The -b flag is specifically designed to stop this very problem, and csh will not run suid without it. Having said that, though, my experience of csh is that it has so many quirks that I, for one am not "confident". Larry Wall says that Berkeley 4.? kernels are insecure (reasons left unstated to protect the guilty) for ANY shell script, even perl :-), and has gone to some trouble to circumvent this. Maybe you trust perl less than csh, but at least the author has thought about the problem, and has issued an unanswered challenge for anyone to break perl scripts' security. And you can flame him on the net if it doesn't work :-) UUCP: igp@camcon.co.uk | Cambridge Consultants Ltd | Ian Phillipps or: igp@camcon.uucp | Science Park, Milton Road |----------------- Phone: +44 223 420024 | Cambridge CB4 4DW, England |