Established method to enable suid scripts?

[perryh at pluto.rain.com]

Chris Telting <christopher-ml at telting.org> wrote:

> Seemed like I read that historically unix ran the #! command
> as the suid when it executed the file.  Did Freebsd delete
> that functionality?  (Otherwise how did suid scripts get the
> bad reputation if they could never execute suid.)

There have indeed been Unix (or Unix-like) systems that have
implemented suid #! scripts.  It did not take very long for
someone to discover -- and demonstrate -- the massive security
hole that they opened, which led to the capability being removed.

IIUC this happened fairly early in the Berkeley era, long before
FreeBSD existed as such.  Thus it was a predecessor of FreeBSD,
and not FreeBSD itself, from which the functionality was deleted.

It _is_ possible in principle to close that particular security
hole while retaining the suid #! functionality, but it requires
coordination between the kernel and the interpreter (and, in the
variant I'm aware of, the introduction of a fourth standard file
identifier similar to the well-known stdin, stdout, and stderr).
However, even supposing that this fix is applied, how certain can
we be that there are no _other_ exposures?

> I'm not exactly clear where the execute function is.  I guessing
> that it's not the shell doing the #! interpretation but rather the
> execute function of the operating system.

Correct.  The exec function examines the first block of the file
that is to be executed, and determines how to execute it by
recognizing particular values in particular places.  When the first
two bytes are #!, the characters following the #! (up to the next
whitespace) identify an interpreter which is executed, the name
of the script being passed to the interpreter as a parameter.

Presumably it would be possible for exec to recognize the suid
bit on the script, and set the UID accordingly when executing the
interpreter, but AFAIK there is no way to "configure" FreeBSD to
do this; you would have to modify the kernel.