> setuid does nothing on a script. If you think about it this makes sense. > The interpreter would have to be setuid because it is not, in fact, the > script that is executed, but the interpreter.
Err, not exactly. When the kernel executes a file (weather script or binary) the setuid check is made and the uid for the new process is chosen before the method of execution is chosen. In linux there are many different types of execution methods (elf, a.out, and scripts are the main ones, but there are many other native ones and with binfmtmisc around, many more) with scripts only being one of them. If it is a script the interpreter is run with the uid previously chosen and the file as an argument. This had to be changed specially for scripts though because there is an inherent race condition between when the suid check is done and when the interpreter opens the file to read in the data. This switch would usually be one with symbolic or hard links from a directory that the attacking user controls: mkdir /tmp/mine cd /tmp/mine ln /path/suid_script script ./script In another session: rm script mv evil_script script Of course doing this by hand isn't realistic, but you get the point. Loading up the system makes this easier to do. The end result is that the evil script gets executed instead of the real one. To stop this from happening, kernels these days specially check for suid scripts and ignore them. Some interpreters (bash used to at least), will check the file for suid and the uid and output nasty messages about how you need to patch your kernel. People like suid scripts though because their easy for admins to write for users, so there have been several methods to get around this problem. All of them are suid wrappers of some kind: 1. Role your own suid wrapper. Sanitizing the environment isn't always trivial and is dependent on the system you are on. 2. Sudo and such have a nice interface to give specific users access to specific commands. You still need to be careful, because there are often ways to get out of commands you limit users to (like executing a shell from an editor). 3. Sperl is a suid interpretor that redoes the suid check on the script it is accessing. There is no race condition here because the check is done after the file is actually open (fd = open; fstat(fd)). This is fairly elegant, but causes other problems in that suid scripts on file systems mounted nosuid are still executed suid by sperl. Suid is very powerful and very easily done incorrectly. Have fun! >>>------> -- +-------------+-----------------------+---------------+ | Ed Schaller | Dark Mist Networking | psuedoshroom | +-------------+-----------------------+---------------+
pgp00000.pgp
Description: PGP signature
