Re: Established method to enable suid scripts?
On Wed, 11 May 2011 11:59:48 +0200 Jonathan McKeown j.mcke...@ru.ac.za wrote: On Wednesday 11 May 2011 04:19:29 Devin Teske wrote: The reason that the suid bit doesn't work on scripts (shell, perl, or otherwise) is because these are essentially text files that are interpreted by their associated interpreter. It is the interpreter itself that must be suid. I'm pretty sure that's not the case, although I'm open to correction. The reason the system ignores the suid bit on a script is because of what would happen when it's executed: 1) the script is read from a file called filename and the system notices that it needs to be interpreted by another program. 2) that program is launched and told to re-open the file named filename and execute its contents with suid privilege. The problem is a race condition: there's no guarantee that the filename opened by the interpreter in step 2 is the same file the user executed in step 1. Yes, that is basically what happened. It was demonstrated under 4.3BSD that a small program needed to do very little to gain privileges when run by a user who had execute access to a suid shell script. The first time the kernel looked at it, the kernel also noted the permissions, including the suid bit. A small program 1) forks a child that loops, creating a symlink to the suid script, removing the symlink, creating a new symlink of the same name but pointing to /bin/sh, removing the symlink again, and repeating, while 2) the parent loops, trying to run the script via the symlink. If the attempt returns, then that means the script actually got run (no security violation). If the attempt instead returns a prompt, # then it means that after the kernel first looked at the file and got the permission bits, the link was changed to point to /bin/sh, which then got run with the suid root permission. (This actually worked for scripts owned by any uid, so the prompt could be $ with the privileges of whatever non-root uid owned the script.) Most people who reported results of trying this at that time said they had a root shell in less than a second, even on slow (for that era) machines. 8- This problem was publicly announced but not fixed in 4.3BSD. The recommended workaround, instead, was not to have any suid scripts. I do not know when the change was made in the kernel to block suid permission elevation on executable non-binaries (i.e., scripts). Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/13/2011 14:34, Alejandro Imass wrote: On Fri, May 13, 2011 at 6:07 AM, Chris Telting christopher...@telting.org wrote: On 05/13/2011 01:32, krad wrote: [...] me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. The sudo versus suid theme is discussed ad-nauseam in many lists and forums, as well as the C wrappers for doing stuff suid. IMHO, however, sudo can give you more granular control though paradoxically relies on suid itself. The question here is why make the whole freaking interpreter suid when you can granularly control the specific script. Anyway, I would personally use a wrapper or sudo. I honestly tried when I posted the question to avoid the question of right or wrong. I simply have one opinion for my own need and preference and don't want to go into rigid detail and did not mean to reopen the issue. I simply wanted to know if anyone had a patch already or a flag enabled it. It's similar to the phrase that if you have to ask you can't afford it except in this case it means you can. I have a feeling someone somewhere did it. If no one comes forward I will post a proper patch for review and maintain documentation of the pitfalls to the extent I can and that others forward to me. I have no desire to change Freebsd's standard practice. I leave that to the steering committee of each and every distribution of unix like systems. I am simply grateful to be able to make my development systems work the way I want it to because I want it to. It's a question of complete phylosophy to me as to the base unix permissions system. I simply know what appeals most to me the way that I use systems. We all love Freebsd because it means choice. I apologize to anyone that thinks I reopened a can of worms and wasted time, it was not my goal. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Chris == Chris Telting christopher...@telting.org writes: Chris I honestly tried when I posted the question to avoid the question Chris of right or wrong. I simply have one opinion for my own need and Chris preference and don't want to go into rigid detail and did not Chris mean to reopen the issue. I simply wanted to know if anyone had a Chris patch already or a flag enabled it. It's similar to the phrase Chris that if you have to ask you can't afford it except in this case Chris it means you can. I have a feeling someone somewhere did it. If Chris no one comes forward I will post a proper patch for review and Chris maintain documentation of the pitfalls to the extent I can and Chris that others forward to me. I have no desire to change Freebsd's Chris standard practice. I leave that to the steering committee of each Chris and every distribution of unix like systems. I am simply grateful Chris to be able to make my development systems work the way I want it Chris to because I want it to. It's a question of complete phylosophy Chris to me as to the base unix permissions system. I simply know what Chris appeals most to me the way that I use systems. We all love Chris Freebsd because it means choice. I apologize to anyone that Chris thinks I reopened a can of worms and wasted time, it was not my Chris goal. When a child reaches for a hot stove, the only moral thing to do is pull their hand back, without hesitating. That's what we're trying to do for you. Why are you not getting it? You *will* get burned. Why do you not trust the community to notice that for you? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 15 May 2011 15:30, Randal L. Schwartz mer...@stonehenge.com wrote: Chris == Chris Telting christopher...@telting.org writes: Chris I honestly tried when I posted the question to avoid the question Chris of right or wrong. I simply have one opinion for my own need and Chris preference and don't want to go into rigid detail and did not Chris mean to reopen the issue. I simply wanted to know if anyone had a Chris patch already or a flag enabled it. It's similar to the phrase Chris that if you have to ask you can't afford it except in this case Chris it means you can. I have a feeling someone somewhere did it. If Chris no one comes forward I will post a proper patch for review and Chris maintain documentation of the pitfalls to the extent I can and Chris that others forward to me. I have no desire to change Freebsd's Chris standard practice. I leave that to the steering committee of each Chris and every distribution of unix like systems. I am simply grateful Chris to be able to make my development systems work the way I want it Chris to because I want it to. It's a question of complete phylosophy Chris to me as to the base unix permissions system. I simply know what Chris appeals most to me the way that I use systems. We all love Chris Freebsd because it means choice. I apologize to anyone that Chris thinks I reopened a can of worms and wasted time, it was not my Chris goal. When a child reaches for a hot stove, the only moral thing to do is pull their hand back, without hesitating. That's what we're trying to do for you. Why are you not getting it? You *will* get burned. Why do you not trust the community to notice that for you? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I also think you would get a similar reaction from the majority of any unix communality for any distro/release. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Chris Telting christopher...@telting.org wrote: let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. Without suid there would be no sudo ;) Part of the reason for ping being suid is historical -- it predates the existence of sudo -- but it is nevertheless a very good example of a program that really should be suid in its own right. * It needs to run with root privileges (so it can bind a raw socket IIRC). * It should be executable, with some restrictions on the intensity of the traffic it will generate, by any user. (Granted many users have no clue what ping does or how to interpret the results, but it is often one of the first things a phone-support tech asks for if it looks as if the caller's problem might be network related. The user needs to be able to run the command so as to read back the results.) * Those restrictions are removed when it is run by root (who is presumed to know the implications). Yes, ping could be non-sudo and the restrictions could be imposed by sudo, but this would come at a cost: - Most if not all system users would need to be listed in the sudoers file, so that they could execute ping in connection with suspected network problems (see above). - The command parameters would have to be parsed twice (once by sudo to decide whether to allow the operation, then again by ping to find out what it is supposed to do). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Pan == Pan Tsu iny...@gmail.com writes: Pan ...a shebang can be written with sudo in mind, e.g. Pan #! /usr/bin/env -S sudo sh Pan id (Untested) why not just #!/usr/local/bin/sudo ? It'll be given the filename as an argument. Aside: In general, almost every use of #!/usr/bin/env XXX as a solution is wrong. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Sat, May 14, 2011 at 3:09 PM, Randal L. Schwartz mer...@stonehenge.com wrote: Pan == Pan Tsu iny...@gmail.com writes: [...] (Untested) why not just #!/usr/local/bin/sudo ? It'll be given the filename as an argument. Precisely. I think this thread should be forked to something like suid versus sudo for scripts? I second the sudo idea instead of suiding the interpreter, and it's a better solution to the one I have used in the past like C-wrapping and suiding specific operations. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Thursday 12 May 2011 17:26:49 Chris Telting wrote: On 05/12/2011 07:57, Jonathan McKeown wrote: I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. That seems somewhat unlikely given, as someone else pointed out upthread, that Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, suggesting that they often aren't. Yes, there are ways to avoid this race condition - the usual one is to pass a handle on the open file to the interpreter, rather than closing it and reopening it. This fix is not present in every Unix or Unix-like OS. In particular (although I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the best of my knowledge. Whether there's a reason for that other than lack of developer time I don't know. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 13 May 2011 08:32, Jonathan McKeown j.mcke...@ru.ac.za wrote: On Thursday 12 May 2011 17:26:49 Chris Telting wrote: On 05/12/2011 07:57, Jonathan McKeown wrote: I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. That seems somewhat unlikely given, as someone else pointed out upthread, that Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, suggesting that they often aren't. Yes, there are ways to avoid this race condition - the usual one is to pass a handle on the open file to the interpreter, rather than closing it and reopening it. This fix is not present in every Unix or Unix-like OS. In particular (although I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the best of my knowledge. Whether there's a reason for that other than lack of developer time I don't know. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/13/2011 00:32, Jonathan McKeown wrote: On Thursday 12 May 2011 17:26:49 Chris Telting wrote: On 05/12/2011 07:57, Jonathan McKeown wrote: I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. That seems somewhat unlikely given, as someone else pointed out upthread, that Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, suggesting that they often aren't. Yes, there are ways to avoid this race condition - the usual one is to pass a handle on the open file to the interpreter, rather than closing it and reopening it. This fix is not present in every Unix or Unix-like OS. In particular (although I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the best of my knowledge. Whether there's a reason for that other than lack of developer time I don't know. Indeed. I think it's more of a case that since you can't count on it on other systems (especially closed source systems) to disable it for portability reasons although I would loved to be proved wrong. Happy Friday. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. Happy Friday. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 13 May 2011 11:07, Chris Telting christopher...@telting.org wrote: On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. Happy Friday. Without knowing your security policy its difficult to say. However from an adhoc point of view I dont see why not assuming what you are doing with it needs root privilege. Its also far less risky than giving a user access to a box. Again without knowing your security policy, i dont see why sudo coming from ports vs base system is really relevant. As long as said port is audited to the same level or higher than the base system i dont see any problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Chris Telting christopher...@telting.org writes: On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But ...a shebang can be written with sudo in mind, e.g. #! /usr/bin/env -S sudo sh id $ ./foo.sh uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) $ ls -l -rwxr-xr-x 1 luser luser 31 May 13 21:36 foo.sh let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
C On Friday, 13 May 2011, Pan Tsu iny...@gmail.com wrote: Chris Telting christopher...@telting.org writes: On 05/13/2011 01:32, krad wrote: what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. That I freely admit is for no rational reason. It's just annoying. But ...a shebang can be written with sudo in mind, e.g. #! /usr/bin/env -S sudo sh id $ ./foo.sh uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) $ ls -l -rwxr-xr-x 1 luser luser 31 May 13 21:36 foo.sh let me ask you.. is sudo ping acceptable? Please explain the logical reason why not. It would be the preferred method if suid didn't exist and sudo was part of the base system. I'm still bemused to why unless it just an academic exercise ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/11/2011 07:14, Jerry McAllister wrote: On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. My understanding is that in general the system does not allow SUID on scripts. The way I have gotten around that (a long time ago) was to create a small binary that exec's the script and making the binary SUID. Well it's all hacks and in my not so humble option like chasing your tail. The assumption is that if someone creates an executable (assumption is programming is C) they are more credible not to make mistakes. That's a fallacy and just plain nuts. And I'm an interpreted language snob saying that. Suid is either allowable or not and should be a sysctl and apply equally to binaries and scripts. Yet another thing to add to my project list. Anyone know of an established patch for fix this freebsd issue or am I yet again going to have to create my own? Either way thank you all again for your feedback. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Thu, May 12, 2011 at 07:13:50AM -0700, Chris Telting wrote: On 05/11/2011 07:14, Jerry McAllister wrote: On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. My understanding is that in general the system does not allow SUID on scripts. The way I have gotten around that (a long time ago) was to create a small binary that exec's the script and making the binary SUID. Well it's all hacks and in my not so humble option like chasing your tail. The assumption is that if someone creates an executable (assumption is programming is C) they are more credible not to make mistakes. That's a fallacy and just plain nuts. And I'm an interpreted language snob saying that. Suid is either allowable or not and should be a sysctl and apply equally to binaries and scripts. Yet another thing to add to my project list. Anyone know of an established patch for fix this freebsd issue or am I yet again going to have to create my own? Guess you will have to do your own. It's not a problem for the rest of us. jerry Either way thank you all again for your feedback. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Thursday 12 May 2011 16:13:50 Chris Telting wrote: On 05/11/2011 07:14, Jerry McAllister wrote: On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. My understanding is that in general the system does not allow SUID on scripts. The way I have gotten around that (a long time ago) was to create a small binary that exec's the script and making the binary SUID. Well it's all hacks and in my not so humble option like chasing your tail. The assumption is that if someone creates an executable (assumption is programming is C) they are more credible not to make mistakes. That's a fallacy and just plain nuts. And I'm an interpreted language snob saying that. Suid is either allowable or not and should be a sysctl and apply equally to binaries and scripts. Yet another thing to add to my project list. Anyone know of an established patch for fix this freebsd issue or am I yet again going to have to create my own? Have you appreciated the issue with suid on scripts? It's nothing at all to do with whether someone writing a compiled language is a better programmer than someone writing an interpreted language. When the OS launches a binary, the file containing the program is opened once. When the OS launches an interpreted program, the file is opened once to find out which interpreter to run, and then the interpreter is told to re-open the same filename - whose contents might meanwhile have changed. I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/12/2011 07:57, Jonathan McKeown wrote: On Thursday 12 May 2011 16:13:50 Chris Telting wrote: On 05/11/2011 07:14, Jerry McAllister wrote: On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. My understanding is that in general the system does not allow SUID on scripts. The way I have gotten around that (a long time ago) was to create a small binary that exec's the script and making the binary SUID. Well it's all hacks and in my not so humble option like chasing your tail. The assumption is that if someone creates an executable (assumption is programming is C) they are more credible not to make mistakes. That's a fallacy and just plain nuts. And I'm an interpreted language snob saying that. Suid is either allowable or not and should be a sysctl and apply equally to binaries and scripts. Yet another thing to add to my project list. Anyone know of an established patch for fix this freebsd issue or am I yet again going to have to create my own? Have you appreciated the issue with suid on scripts? It's nothing at all to do with whether someone writing a compiled language is a better programmer than someone writing an interpreted language. When the OS launches a binary, the file containing the program is opened once. When the OS launches an interpreted program, the file is opened once to find out which interpreter to run, and then the interpreter is told to re-open the same filename - whose contents might meanwhile have changed. I'll say that again. It is inherently insecure to run an interpreted program set-uid, because the filename is opened twice and there's no guarantee that someone hasn't changed the contents of the file addressed by that name between the first and second open. It's one thing to tell people they need to be careful with suid because it has security implications. Deliberately introducing a well-known security hole into the system would in my view be dangerous and wrong. That race condition bug was fixed in ancient times. Before Freebsd or Linux ever existed I believe. It's a meme that just won't die. People accepted mediocrity in old commercial versions of Unix. I personally am unsatisfied by kludges. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Chris Telting christopher...@telting.org wrote: Seemed like I read that historically unix ran the #! command as the suid when it executed the file. Did Freebsd delete that functionality? (Otherwise how did suid scripts get the bad reputation if they could never execute suid.) There have indeed been Unix (or Unix-like) systems that have implemented suid #! scripts. It did not take very long for someone to discover -- and demonstrate -- the massive security hole that they opened, which led to the capability being removed. IIUC this happened fairly early in the Berkeley era, long before FreeBSD existed as such. Thus it was a predecessor of FreeBSD, and not FreeBSD itself, from which the functionality was deleted. It _is_ possible in principle to close that particular security hole while retaining the suid #! functionality, but it requires coordination between the kernel and the interpreter (and, in the variant I'm aware of, the introduction of a fourth standard file identifier similar to the well-known stdin, stdout, and stderr). However, even supposing that this fix is applied, how certain can we be that there are no _other_ exposures? I'm not exactly clear where the execute function is. I guessing that it's not the shell doing the #! interpretation but rather the execute function of the operating system. Correct. The exec function examines the first block of the file that is to be executed, and determines how to execute it by recognizing particular values in particular places. When the first two bytes are #!, the characters following the #! (up to the next whitespace) identify an interpreter which is executed, the name of the script being passed to the interpreter as a parameter. Presumably it would be possible for exec to recognize the suid bit on the script, and set the UID accordingly when executing the interpreter, but AFAIK there is no way to configure FreeBSD to do this; you would have to modify the kernel. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
Here is some information on what perl does: http://www.washington.edu/perl5man/pod/perlsec.html Also there is an option (not chosen by default) in the perl port to enable setuid. Riaan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Wednesday 11 May 2011 04:19:29 Devin Teske wrote: The reason that the suid bit doesn't work on scripts (shell, perl, or otherwise) is because these are essentially text files that are interpreted by their associated interpreter. It is the interpreter itself that must be suid. I'm pretty sure that's not the case, although I'm open to correction. The reason the system ignores the suid bit on a script is because of what would happen when it's executed: 1) the script is read from a file called filename and the system notices that it needs to be interpreted by another program. 2) that program is launched and told to re-open the file named filename and execute its contents with suid privilege. The problem is a race condition: there's no guarantee that the filename opened by the interpreter in step 2 is the same file the user executed in step 1. There are two common ways round this: ignore the suid bit; or arrange within the OS to pass a handle to the original file rather than a filename so that the script can't be changed out from under the interpreter. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. My understanding is that in general the system does not allow SUID on scripts. The way I have gotten around that (a long time ago) was to create a small binary that exec's the script and making the binary SUID. Security cautions apply. jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Wed, May 11, 2011 at 10:14 AM, Jerry McAllister jerr...@msu.edu wrote: On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. As other have said suiding on scripts is not allowed in modern versions of Unix. What I do for example, is create small C programs suid them and use those special suid execs to do special stuff. For example, if I need to erase some files created by the mysql daemon process I will create a C exec called suidrm and have it suid to the mysql owner so I can remove the temp files from an Apache CGI for example. Any suid exec should be carefully evaluated and meant for one specific thing, and avoid suiding to root if at all possible. If you must you can copy the exec with a different name and suid it for a specific purpose with a specific user, preferably not root. Anyway, with the simple C program wrapper approach I have solved many things like what you're trying to do. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5/11/11 12:31 PM, Alejandro Imass wrote: On Wed, May 11, 2011 at 10:14 AM, Jerry McAllister jerr...@msu.edu wrote: On Tue, May 10, 2011 at 05:54:04PM -0700, Chris Telting wrote: I've googled for over an hour. As other have said suiding on scripts is not allowed in modern versions of Unix. What I do for example, is create small C programs suid them and use those special suid execs to do special stuff. For example, if I need to erase some files created by the mysql daemon process I will create a C exec called suidrm and have it suid to the mysql owner so I can remove the temp files from an Apache CGI for example. Any suid exec should be carefully evaluated and meant for one specific thing, and avoid suiding to root if at all possible. If you must you can copy the exec with a different name and suid it for a specific purpose with a specific user, preferably not root. Anyway, with the simple C program wrapper approach I have solved many things like what you're trying to do. Best, -- Alejandro Imass To the OP and others - you'll find tons of hits for setuid wrapper in Google (http://www.google.com/search?q=setuid+wrapperie=utf-8oe=utf-8aq=trls=org.mozilla:en-US:officialclient=firefox-a), but be very careful if you decide to compile one of them for use in your environment. It might be worth checking out some of the Apache suEXEC documentation to understand all of the security checks they have implemented: http://httpd.apache.org/docs/2.2/suexec.html Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3KveUACgkQ0sRouByUApBP6wCeOuMVod5erYOtYQqTDVmgcmaP fdsAoMUMrPkJWvs2ZZEOMMgmVBu2xlcv =h1f6 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On Tue, 10 May 2011 21:43:43 -0400, Daniel Staal dst...@usa.net wrote: One thought: What's the output of 'mount' for the slice you are trying to run this script from? (Suid can be blocked on a per-mountpoint basis.) Just for terminology: You mount a partition, _not_ a slice, so mount operates on partition (associating them to mountpoints, and as you correctly pointed out, mount options can include the prohibition of SUID execution using the nosuid option). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
--As of May 11, 2011 3:55:03 AM +0200, Polytropon is alleged to have said: On Tue, 10 May 2011 21:43:43 -0400, Daniel Staal dst...@usa.net wrote: One thought: What's the output of 'mount' for the slice you are trying to run this script from? (Suid can be blocked on a per-mountpoint basis.) Just for terminology: You mount a partition, _not_ a slice, so mount operates on partition (associating them to mountpoints, and as you correctly pointed out, mount options can include the prohibition of SUID execution using the nosuid option). --As for the rest, it is mine. Sorry, I've been doing a lot of switching between platforms recently, and mostly using virtual volume managers of one type or another. The terminology starts to blur after a bit. ;) Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On May 10, 2011, at 5:54 PM, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. The reason that the suid bit doesn't work on scripts (shell, perl, or otherwise) is because these are essentially text files that are interpreted by their associated interpreter. It is the interpreter itself that must be suid. In other words, you'd have to do this (*WARNING* highly inadvisable -- even for the OP): sudo chmod u+s /bin/sh before you could have a shell script such as this: #!/bin/sh : anything run as the suid user (the owner of /bin/sh -- usually root). -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Established method to enable suid scripts?
On 05/10/2011 19:19, Devin Teske wrote: On May 10, 2011, at 5:54 PM, Chris Telting wrote: I've googled for over an hour. I'm not looking to get into a discussion on security or previous bugs that are currently fixed. Suid in and of itself is a security issue. But if you are using suid it it should work; I don't want to use a kludge and I don't want to use sudo. I'm hoping it's a setting that is just disabled by default. The reason that the suid bit doesn't work on scripts (shell, perl, or otherwise) is because these are essentially text files that are interpreted by their associated interpreter. It is the interpreter itself that must be suid. In other words, you'd have to do this (*WARNING* highly inadvisable -- even for the OP): sudo chmod u+s /bin/sh before you could have a shell script such as this: #!/bin/sh : anything run as the suid user (the owner of /bin/sh -- usually root). I thought of that. Seemed like I read that historically unix ran the #! command as the suid when it executed the file. Did Freebsd delete that functionality? (Otherwise how did suid scripts get the bad reputation if they could never execute suid.) I'm not exactly clear where the execute function is. I guessing that it's not the shell doing the #! interpretation but rather the execute function of the operating system. Either way thanks for the feedback. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
