SUID permission on Bash script

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Aug 29 18:22:19 UTC 2009 

RW wrote:
> On Sat, 29 Aug 2009 00:06:29 -0700
> perryh at pluto.rain.com wrote:
> 
>> Michael David Crawford <mdc at prgmr.com> wrote:
>>> It's not that setuid shell scripts are really more
>>> inherently insecure than programs written in C.
>> Actually, absent some careful cooperation between the kernel
>> and the interpreter to prevent a race condition that can cause
>> the interpreter to run (with elevated permissions) a completely
>> different script than the one that was marked setuid, setuid
>> scripts _are_ insecure in a way that _cannot_ be fixed by any
>> degree of care that might be taken in the writing of the script.
>>
>> Check the hackers@ archives.  It was discussed a little over a
>> month ago.
> 
> But is isn't that the same issue that Matthew Seaman was saying was
> fixed years ago (in the link I gave before), and is described in the
> follow-up:
> 
> http://www.mail-archive.com/freebsd-questions@freebsd.org/msg185145.html
> 
> That's entirely in the kernel, it doesn't require interpreter support.

The race condition between the kernel opening the script and the interpreter
doing so should certainly be fixed in any Unix or Linux distribution available
today.  Either, as above, by the kernel passing an open file descriptor to the
invoked script, or simply by ignoring any setuid or setgid bits on interpreted
scripts.

There are other attacks against SUID scripts -- see for instance:

    http://www.tech-faq.com/suid-root-script-binary.shtml
    http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html

most of which work by exploiting the sort of features of the scripting
language that make it into a powerful and useful tool.  Almost all of these
sort of exploits can be avoided by careful programming -- for instance,
always explicitly setting $IFS and $PATH to known good values, or using the
one  set of command line flags allowed on the #! line to block the '-i' trick
(ie. use '#!/bin/sh --' which forces any subsequent items on the command
line to be treated as files rather than command options).  However, you
(the programmer) would have to know all about the various tricks for 
exploiting suid-ness in order to counter them.

The preferred way of running a script SUID is to write a very small C 
wrapper program that can be made SUID and that executes the script after
gaining increased privileges.  Done well, this is definitely the best and most
secure approach.  Note however that the C wrapper must be similarly as
carefully written as a suid script or many of the same exploits could still
be possible.

So, unless you are an expert programmer and understand how to defend your
code against attack, your best bet really is to just use sudo(8).

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090829/3b18a46b/signature.pgp

More information about the freebsd-questions mailing list