Re: Executable shell scripts

[Neil Brown]

On Saturday May 13, mark@xxxxxxxxxxxx wrote:
> 
> Anyhow, I don't really mind the 111 mode, the point was to show shell
> scripts being treated as executables. What I do want this feature for
> is the "more useful case" that somehow got stripped off in the replies,
> namely setuid and setgid scripts.
> -

setXid scripts are trivially exploitable unless the "/dev/fd/X"
approach is used to pass the file to the interpreter.

A classic approach is

 ln -s /bin/setuid-script ~/bin/-i
 -i

This will run the interpreter with a first argument of
   -i
which (if it is the shell) will just run an interactive shell for
you!!!
Now several shells have hacks to try to detect that case and reject it,
but there are other approaches..

Create a symlink to the script, and just at the right time between the
interpreter starting setuid and the interpreter opening the script,
you redirect the symlink somewhere else.  You might have to try a few
times to win the race, but it is sure to be possible.

Again, several shells have hacks in place to detect and avoid that
condition. 

But it has turned into an arms race - Can you be sure that the
interpreter you are using correctly detects and avoids all possible
subversion attempts?  It seems unlikely.

It is much safer to have a compiled program be the setuid bit, and it
does appropriate checks and runs a script in a highly controlled
manner.  I have a program called 'priv' which runs scripts out of
/usr/local/priv  after doing some access checks listed at the top of
the script.  It makes it quite easy and fairly safe (you still need to
check all command line args carefully) to write setuid-root script.

NeilBrown
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/