On Sat, 29 Aug 2009 00:06:29 -0700 per...@pluto.rain.com wrote:Michael David Crawford <m...@prgmr.com> wrote:It's not that setuid shell scripts are really more inherently insecure than programs written in C.Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition that can cause the interpreter to run (with elevated permissions) a completely different script than the one that was marked setuid, setuid scripts _are_ insecure in a way that _cannot_ be fixed by any degree of care that might be taken in the writing of the script. Check the hackers@ archives. It was discussed a little over a month ago.But is isn't that the same issue that Matthew Seaman was saying was fixed years ago (in the link I gave before), and is described in the follow-up: http://firstname.lastname@example.org/msg185145.html That's entirely in the kernel, it doesn't require interpreter support.
The race condition between the kernel opening the script and the interpreter doing so should certainly be fixed in any Unix or Linux distribution available today. Either, as above, by the kernel passing an open file descriptor to the invoked script, or simply by ignoring any setuid or setgid bits on interpreted scripts. There are other attacks against SUID scripts -- see for instance: http://www.tech-faq.com/suid-root-script-binary.shtml http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html most of which work by exploiting the sort of features of the scripting language that make it into a powerful and useful tool. Almost all of these sort of exploits can be avoided by careful programming -- for instance, always explicitly setting $IFS and $PATH to known good values, or using the one set of command line flags allowed on the #! line to block the '-i' trick (ie. use '#!/bin/sh --' which forces any subsequent items on the command line to be treated as files rather than command options). However, you(the programmer) would have to know all about the various tricks for exploiting suid-ness in order to counter them.
The preferred way of running a script SUID is to write a very small C wrapper program that can be made SUID and that executes the script after
gaining increased privileges. Done well, this is definitely the best and most secure approach. Note however that the C wrapper must be similarly as carefully written as a suid script or many of the same exploits could still be possible. So, unless you are an expert programmer and understand how to defend your code against attack, your best bet really is to just use sudo(8). Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature