/usr/local/etc/rc.d/ scripts and non-root user
jonathan+freebsd-questions at hst.org.za
Sun Feb 10 17:16:01 UTC 2008
On Sunday 10 February 2008 11:13, Matthew Seaman wrote:
> gs_stoller at juno.com wrote:
> > On Wed, 06 Feb 2008, Alex Zbyslaw wrote
> > SNIP
> >> Setuid/gid bits on shell scripts aren't considered safe, however and may
> >> even be disabled.
> > THERE IS NO REASON FOR THIS, JUST USE THE FILE-SYSTEM TO PROTECT THE
> > FILES (MAKE THEM NOT WRITEABLE). Scripts are no more susceptible to
> > sabotage and misuse than binary files, it is just that scripts can be
> > more easily decoded and understood than binary files, and so
> > management (that usually doesn't know much about a computer system)
> > becomes frightened and issues orders to relieve their stress.
> There's no particular reason that setuid bits on scripts are dangerous
> nowadays. However in the dim and distant past (before the millenium)
> there used to be a race condition on opening files that meant it was
> trivial to use a setuid script to get a shell running under the target
> UID. The horror of this situation seems to have branded itself so deeply
> on the Unix psyche that even now, when that race condition has been
> eliminated for many years, there is still a lingering reflex response:
> "setuid scripts bad."
Specifically, the system would open the script to read the #! line and find
out what interpreter to run, close the script and tell the specified
interpreter to re-open it. If an attacker could change the file between the
close and the re-open, you would end up running the attacker's script.
I believe the fix was to hand the required interpreter an open file descriptor
rather than a filename.
More information about the freebsd-questions