Re: Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec)

Next message: Chang S. Bae: "Re: [DISCUSSION] x86: In-Kernel Use of Extended General-Purpose Registers"
Previous message: Chang S. Bae: "Re: [RFC PATCH 3/3] x86/lib: Use EGPRs in 64-bit checksum copy loop"
In reply to: Eric W. Biederman: "Re: Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec)"
Next in thread: Bernd Edlinger: "Re: Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Laight

Date: Mon Dec 01 2025 - 16:40:02 EST

On Mon, 01 Dec 2025 12:53:10 -0600
"Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> wrote:

> Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> writes:
...
> There is the partial solution of passing /dev/fd instead of passing the
> name of the script. I suspect that would break things. I don't
> remember why that was never adopted.

I thought that was what was done - and stopped the problem of a user
flipping a symlink between a suid script and one the user had written.

It has only ever been done for suid scripts when the uid actually changes.
Which makes it possible to set the permissions so that owner can't
run the script!
(The kernel only needs 'x' access, the shell needs 'r' access, so with 'x+s'
the owner can't execute the script but everyone else can.)

There is a much older problem that probably only affected the original 1970s
'sh' (not even the SVSV/Sunos version) that quoted redirects on the command
line would get actioned when the parameter was substituted - which I think
means the original 'sh' did post-substitution syntax analysis (the same
as cmd.exe still does).
That doesn't affect any shells used since the early 1980s.

David