On Thu, Apr 23, 2009 at 11:31:38AM +0300, Shachar Shemesh wrote: > > Oron Peled wrote: >> >> There's a reason why the kernel does not respect suid/sgid bit on shell >> scripts -- It's because there are gazillions of ways a user can use >> this script to gain total root access. >> > Name two?
The main famous one, inherent in the way scripts work, is that the kernel has to look at the first line of the script, run the interpreter mentioned there with the args provided, and this interpreter then runs, looks at the script, and decides what to do. Running the interpreter takes time, and so an attacker can make a symlink to it, run the symlink, and replace it immediately, and have a chance to make the interpreter run the attacker's version instead of the original. This is different from running a binary directly, where the kernel knows where it was and won't have to look again if you tried replacing a symlink to it. >> >> Maybe writing a wrapper suid program that totally sanitize >> both the environment and command line arguments before >> exec'ing the script would make it. Although I wouldn't bet >> on it since it only covers the obvious attack vectors against >> shell scripts. >> > Fine. Make the two cover these obvious vectors, one each. > > I have to say that I first heard about this restriction, I thought it > made a lot of sense. Since then, I have searched for these famed attack > vectors, and have come up short. Well, I now googled for 'setuid scripts security' and found this FAQ: http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html It also mentions other, more-specific issues. > Sure, if the script itself has security > holes, then a suid script will be vulnerable. As I'm sure you know well, > this is also true of C written code, however. Indeed, but there are some differences - usually, finding bugs in scripts is easier (especially if you do not have the sources for the C-coded binary), and in the past there used to be bugs in various interpreters of various OSes. The last point is hopefully less relevant today, but so are setuid-scripts (I think no modern unix respects these). > > So my question is: are there attack vectors against the following script? > > #!/bin/sh -e > > echo "Hello, cruel world" -- Didi _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
