On Tue, Jun 01, 2004 at 11:21:23PM -0400, James Damour wrote:
My understanding of the position of Bob and Mike can be summed up as, in
general, shell script's can't be made to use setuid/setgid securely.
Basically, the problem comes down that a user can manipulate their PATH to
redefining
My understanding of the position of Bob and Mike can be summed up as,
in general, shell script's can't be made to use setuid/setgid
securely. Basically, the problem comes down that a user can manipulate
their PATH to redefining basic commands that are used by the shell
scripts
My understanding of the position of Bob and Mike can be summed up as,
in general, shell script's can't be made to use setuid/setgid
securely. Basically, the problem comes down that a user can manipulate
their PATH to redefining basic commands that are used by the shell
scripts
Somehow I managed to miss Bob's and Mike's emails on this subject. I
rather wish that I *had* seen it before I spent 16 hours coding up the
wrapper ;) Still, I don't think my time was wasted; I learned quite a
lot and I think that I have something that can still be salvaged. Still
salvage seems
Somehow I managed to miss Bob's and Mike's emails on this subject. I
rather wish that I *had* seen it before I spent 16 hours coding up the
wrapper ;) Still, I don't think my time was wasted; I learned quite a
lot and I think that I have something that can still be salvaged. Still
salvage seems
On Tue, Jun 01, 2004 at 11:21:23PM -0400, James Damour wrote:
My understanding of the position of Bob and Mike can be summed up as, in
general, shell script's can't be made to use setuid/setgid securely.
Basically, the problem comes down that a user can manipulate their PATH to
redefining
Steven Augart wrote:
First, a retraction:
James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
setgid shell script, it detects this because the euid and ruid or egid
and rgid are different. It fixes
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
setgid shell script, it detects this because the euid and ruid or egid
and rgid are different. It fixes
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
setgid shell script, it detects this because the euid and
On (19/05/04 15:54), Goswin von Brederlow wrote:
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
might misinterpret
the docs and do something dangerous.
I had suggested restricting the program to just being a setgid
wrapper at first, because it seemed harder to exploit security
bugs that way. I know that that once one gains setgid access to
the disk group, one can then go ahead and directly
Grzegorz B. Prokopski [EMAIL PROTECTED] writes:
On (19/05/04 15:54), Goswin von Brederlow wrote:
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a
Now I know why I had such trouble getting setuid programs to work
on Linux.
My understanding of Greg and Jeroen's explanations is that the kernel
ignores whether an interpreted program has the setuid bit set -- it
just executes the interpreter given after the #!, passing the full
pathname
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
setgid shell script, it detects this because the euid and
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
In this case, this setgid-wrapper concept would work for *all* Java
applications. I'm still not sure if it will work for shell driven apps
in general, but it sounds reasonable. Security may be a concern, but I
believe
On (19/05/04 15:54), Goswin von Brederlow wrote:
Jeroen van Wolffelaar [EMAIL PROTECTED] writes:
On Wed, May 19, 2004 at 07:53:46AM -0400, James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
On (19/05/04 13:14), Grzegorz B. Prokopski wrote:
On (19/05/04 15:54), Goswin von Brederlow wrote:
Could it be you mean bash droping the setuid/setgid bits when it is
set setuid/setgid? Thats a bash speciality preventing hackers to
setuid/gid bash as so many rootkits have done in the past.
and do something dangerous.
I had suggested restricting the program to just being a setgid
wrapper at first, because it seemed harder to exploit security
bugs that way. I know that that once one gains setgid access to
the disk group, one can then go ahead and directly modify the
raw filesystem
Now I know why I had such trouble getting setuid programs to work
on Linux.
My understanding of Greg and Jeroen's explanations is that the kernel
ignores whether an interpreted program has the setuid bit set -- it
just executes the interpreter given after the #!, passing the full
pathname
Steven Augart wrote:
First, a retraction:
James Damour wrote:
On Tue, 2004-05-18 at 09:03, Steven Augart wrote:
As you probably know, when a shell sees that it is running a setuid or
setgid shell script, it detects this because the euid and ruid or egid
and rgid are different. It fixes
problem with setuid
and setgid bits not working on shell scripts.
I was thinking it might make sense to create a program (and package) named
setgid-wrapper? Using filler as an example, the basic idea is this:
You'd have a directory, /etc/setgid-wrapper.d , which contains a bunch of
config files
with setuid
and setgid bits not working on shell scripts.
I was thinking it might make sense to create a program (and package) named
setgid-wrapper? Using filler as an example, the basic idea is this:
You'd have a directory, /etc/setgid-wrapper.d , which contains a bunch of
config files. The package
22 matches
Mail list logo