Re: using mount from SUID scripts?

From: Matthew Dharm (mdharm-kernel@one-eyed-alien.net)
Date: Wed Aug 08 2001 - 00:17:08 EST

Next message: Michael Reincke: "problem: devfs scsi tape permissions"
Previous message: Bill Yu: "How to Send Raw Packet Through a Specific Interface"
Next in thread: Jesse Pollard: "Re: using mount from SUID scripts?"
Maybe reply: Jesse Pollard: "Re: using mount from SUID scripts?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually, a strace of mount shows that mount asks for the UID and the EUID,
and seems to exit of it's own accord when they differ.

Tho, if I can force the UID to the EUID, this may work also.

Unfortunately, the snippit of code here doesn't do the job... after the
first two lines, the UID is unchanged, while the EUID is still 0 (root). I
used system "/usr/bin/id" to verify this. /bin/mount is still complaining.

Oh, wait... $> is effective and $< is real. So that first line should be
($r, $e) = ($<, $>); -- this makes everything happy!

Thanks tons, folks!

Matt Dharm

On Tue, Aug 07, 2001 at 09:29:07PM -0500, Jesse Pollard wrote:
> On Tue, 07 Aug 2001, Keith Owens wrote:
> >On Tue, 7 Aug 2001 16:29:39 -0700,
> >Matthew Dharm <mdharm-kernel@one-eyed-alien.net> wrote:
> >>I've got an SUID perl script (yes, it's EUID is really 0) which I'd like to
> >>use mount from to mount a file via loopback...
> >>
> >>Unfortunately, it looks like mount refuses to actually mount anything if
> >>the EUID and UID aren't the same....
> >
> >Are you sure the problem is mount? Some versions of bash drop euid(0)
> >when they execute scripts from setuid programs.
> >
>
> not mount, and likely not the shell - the thing is that perl doesn't like it
> when the effective uid is not equal to the real uid. Perl is very good at
> limiting the damange an unsuspecting script does. This is to prevent passing
> a "confused" environment to the shell.
>
> The following can work around this:
>
> ($r,$e) = ( $>, $< ); # save real and effective uid's
> $< = $e; # force real uid to the effective
> `/bin/mount ....`
> ($>, $<) = ($r,$e); # restore mixed state
>
> Remember, the options to mount should come from a fixed table with user
> selected input used to select which table entry to use... or a strictly
> fixed mount command.
>
> Otherwise you have an even bigger security hole.
>
> --
> -------------------------------------------------------------------------
> Jesse I Pollard, II
> Email: jesse@cats-chateau.net
>
> Any opinions expressed are solely my own.

-- Matthew Dharm Home: mdharm-usb@one-eyed-alien.net Maintainer, Linux USB Mass Storage Driver

You suck Stef. -- Greg User Friendly, 11/29/97

application/pgp-signature attachment: stored

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Michael Reincke: "problem: devfs scsi tape permissions"
Previous message: Bill Yu: "How to Send Raw Packet Through a Specific Interface"
Next in thread: Jesse Pollard: "Re: using mount from SUID scripts?"
Maybe reply: Jesse Pollard: "Re: using mount from SUID scripts?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Aug 15 2001 - 21:00:14 EST