Bob Miller wrote:
Allen Brown wrote:
It is tempting to also use nosuid, but there is a warning on
the mount page.
nosuid Do not allow set-user-identifier or set-group-identifier
bits to take effect. (This seems safe, but is in fact
rather unsafe if you have suidperl(1) installed.)
What the heck is that? I don't seem to have it installed,
but this makes me nervous because I wouldn't necessarily
notice if it came in along with a bunch of other stuff
in an apt-get.
/usr/bin/suidperl part of the perl package. It's a set-uid program,
usually installed setuid root, that invokes perl, used to change uid
on setuid scripts when the kernel doesn't do that.
An evildoer could...
On his own box, create a floppy/CD/flash ext2 filesystem and put
evilscript on it setuid root.
On your box, with normal user privs, he inserts and mounts the
device which you've marked with user,nosuid in /etc/fstab.
The evildoer runs his script. The kernel invokes perl but does not
set uid (because the fs is mounted nosuid). Perl sees the setuid
bit, execs suidperl. suidperl sees the setuid bit, changes its
effective uid to the file's owner (root), and execs perl. Perl,
now running as root, executes the script, and hilarity ensues.
Many distros ship without suidperl. Gentoo has a USE flag to enable
it which defaults to off. Ubuntu ships with suidperl, but it doesn't
have the setuid bit set. Those are the distros I have handy just now.
That's probably more information than you wanted...
Not at all. I'm glad to hear it.
It does make me wonder why suidperl wasn't killed long ago.
And it seems like the warning on the mount page is poorly
worded since it implies that setting nosuid *opens* the hole
exploited by suidperl. What is more accurate is that suidperl
*reopens* the hole that nosuid closed.
So nosuid is a good thing. But you also must forbid suidperl.
--
Allen Brown [EMAIL PROTECTED] http://www.peak.org/~abrown/
You can lead a horticulture but you can't make her think. ---Dorothy
Parker
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
