setuid scripts wrapper (RFC, proposal)
Sply Splyeff
lists at sply.org
Thu Apr 6 10:51:38 UTC 2006
> The biggest problem is its failure to check the sanity of the input
> parameters - that a particular argument actually exists before
> referencing it.
Do you mean that evil Bob can substitue Alice's script between stat() and execve() calls?
Yes, I've missed this point.
We can use realpath and check if all nodes are writable only by file owner or by root.
Yes, that's a big limitation, but in most common tasks it would be acceptable. And it
saves from race conditions, am I right?
And there are another ways but more slowly or complex - own sub-wrapper for each
interpreter with passes script as file descriptor as you wrote at beginning; hardlink or
copy files to safe directory; fork child and ptrace him for watching if the files it
opens are really the same. Too confusing.
But if the first way is ok, maybe it'sbetter to stay on it.
> Other issues I noticed:
> - strncpy() is virtually always the wrong function. You already do
> validation so you could just use strcpy()
ok. i've replace to memcpy as len is already known
> - strncpy(penvd + penvsz, "=", 1); could be penvd[penvsz] = '=';
sure, it was done only for hold in one style all string operations
> - No error if number of environment variables too great.
fixed
More information about the freebsd-hackers
mailing list