setuid scripts (was Re: proc fs and shared pids)

Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
Thu, 5 Sep 1996 20:38:23 +0200 (MET DST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: PCManiac++: "Intel Etherexpress Pro/100 Tx"
Previous message: Jon Lewis: "Re: Multiple IP addresses under kernel 2.0.x"
Next in thread: Darren J Moffat: "Re: setuid scripts (was Re: proc fs and shared pids)"
Reply: Darren J Moffat: "Re: setuid scripts (was Re: proc fs and shared pids)"

Darren J Moffat:
> In the noexec case it isn't a problem because the script couldn't have
> been executed to start the trusted interpreter in the first place.

But the trusted interpreter could still be executed by the user
with the name of the script as argv[1]. Same for setuid...

> Any "guarding" setuid interpreter should check that what it is executing
> really should be allowed to be done, if this means checking the mount
> options then so be it, but I don't think this is neccessary.

I think this is necessary - and it is not portable. I still think
we should allow the Solaris /dev/fd hack (at least as an option).

> script that is setuid (4755)
>
> #!/usr/local/sbin/setuidexec /bin/sh
>
> cat < /etc/some_file_readable_only_by_root
>
> Putting script on vol mounted: noexec then nosuid then nosuid,noexec
> Putting the setuid guard wrapper on a mount that allows setuid and execs.

Is there anything to stop me doing this:

/usr/local/sbin/setuidexec /bin/sh script

(script is on a filesystem mounted nosuid)

This has nothing to do with filesystem type (ext2 or umsdos). Or am
I missing something here?

Marek

Next message: PCManiac++: "Intel Etherexpress Pro/100 Tx"
Previous message: Jon Lewis: "Re: Multiple IP addresses under kernel 2.0.x"
Next in thread: Darren J Moffat: "Re: setuid scripts (was Re: proc fs and shared pids)"
Reply: Darren J Moffat: "Re: setuid scripts (was Re: proc fs and shared pids)"