Re: SUID permission on Bash script

[Matthew Seaman]

RW wrote:

On Sat, 29 Aug 2009 00:06:29 -0700
per...@pluto.rain.com wrote:

Michael David Crawford <m...@prgmr.com> wrote:

It's not that setuid shell scripts are really more
inherently insecure than programs written in C.

Actually, absent some careful cooperation between the kernel
and the interpreter to prevent a race condition that can cause
the interpreter to run (with elevated permissions) a completely
different script than the one that was marked setuid, setuid
scripts _are_ insecure in a way that _cannot_ be fixed by any
degree of care that might be taken in the writing of the script.

Check the hackers@ archives.  It was discussed a little over a
month ago.

But is isn't that the same issue that Matthew Seaman was saying was
fixed years ago (in the link I gave before), and is described in the
follow-up:

http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.html

That's entirely in the kernel, it doesn't require interpreter support.

The race condition between the kernel opening the script and the interpreter
doing so should certainly be fixed in any Unix or Linux distribution available
today.  Either, as above, by the kernel passing an open file descriptor to the
invoked script, or simply by ignoring any setuid or setgid bits on interpreted
scripts.

There are other attacks against SUID scripts -- see for instance:

   http://www.tech-faq.com/suid-root-script-binary.shtml
   http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html

most of which work by exploiting the sort of features of the scripting
language that make it into a powerful and useful tool.  Almost all of these
sort of exploits can be avoided by careful programming -- for instance,
always explicitly setting $IFS and $PATH to known good values, or using the
one  set of command line flags allowed on the #! line to block the '-i' trick
(ie. use '#!/bin/sh --' which forces any subsequent items on the command
line to be treated as files rather than command options).  However, you



gaining increased privileges.  Done well, this is definitely the best and most
secure approach.  Note however that the C wrapper must be similarly as
carefully written as a suid script or many of the same exploits could still
be possible.

So, unless you are an expert programmer and understand how to defend your
code against attack, your best bet really is to just use sudo(8).

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

(the programmer) would have to know all about the various tricks for exploiting suid-ness in order to counter them. The preferred way of running a script SUID is to write a very small C wrapper program that can be made SUID and that executes the script after

signature.asc
Description: OpenPGP digital signature