SGID/SUID on scripts
Lowell Gilbert
lgusenet at be-well.ilk.org
Fri Jul 24 15:11:40 UTC 2009
Jonathan McKeown <j.mckeown at ru.ac.za> writes:
> On Thursday 23 July 2009 20:28:52 Lowell Gilbert wrote:
>> That's clever, but how would it work in practice, while common shells
>> and scripting languages may not implement their side of it?
>
> http://www.in-ulm.de/~mascheck/various/shebang/ claims that it's been
> implemented, in exactly the way described, in Solaris, OpenBSD and NetBSD
> (albeit as a kernel compile-time option in the latter two). (It's apparently
> also in IRIX and UnixWare).
>
> Given OpenBSD's admirable paranoia about security (hey, I'm a sysadmin: I
> never ask myself if I'm being paranoid, but if I'm being paranoid enough!)
> I'd have thought they would have explored the implications fully.
They don't enable it by default, and they don't seem to recommend it.
> Certainly other stuff knows about it. As I said yesterday, Perl describes the
> problem in its perlsec manpage/perldoc. The perl interpreter even has a
> build-time option, SETUID_SCRIPTS_ARE_SECURE_NOW - and the correct setting is
> supposedly detected as part of configure.
The problem I'm wondering about is that it doesn't matter what knows
about it as long as there's an interpreter that *doesn't*. Anything
that opens a script parameter on its own (there are other vulnerable
approaches, but one's enough) will be insecure.
I may well be missing something, of course.
> There may well be some problems to overcome, but this doesn't appear to be
> unexplored territory.
Not entirely, but there may well be a reason it's never been in common
use.
- Lowell
More information about the freebsd-hackers
mailing list