[205] in bugtraq
Re: Setuid programs run from shell scripts?
daemon@ATHENA.MIT.EDU (Justin J. Lister)
Fri Nov 18 17:59:34 1994
From: ruf@SPi.MIT.EDU (Justin J. Lister)
To: bugtraq@fc.net
Date: Sat, 19 Nov 1994 05:39:47 +1100 (EST)
In-Reply-To: <199411141818.LAA21558@c3serve.c3.lanl.gov> from "Michael Neuman" at Nov 14, 94 11:12:32 am
Reply-To: <ruf@osiris.cs.uow.edu.au>
"Michael Neuman wrote:"
>This is a nice security feature, but is it a bug?
>$ cat suid.c
>#include <stdio.h>
>main() { printf("euid==%d ruid==%d\n",geteuid(), getuid()); }
>$ ls -l suid
>-rwsr-xr-x 1 root 24576 Nov 8 13:27 suid*
>$ suid
>euid==0 ruid==100
>$ cat testscript2
>#!/path_to_suid/suid
>foo
>$ testscript2
>euid==100 ruid==100
>------
>Shouldn't suid run as root under the "script"?
>(This is on SunOS 4.1.3_U1B)
Works as you expected on linux.
$ uname -a
Linux SPi 1.1.4 #3 Sat Jun 11 14:03:08 EST 1994 i486
$ id
uid=501(ruf) gid=100(users)
$ cat suid.c
# include<stdio.h>
void main(void){
printf("uid[%d] euid[%d] : gid[%d] egid[%d]\n",getuid(), geteuid(), getgid(), getegid());
}
$ ls -l suid
-rwsr-sr-x 1 root wheel 15971 Nov 19 05:24 suid
$ cat ts
#!suid
$ suid
uid[501] euid[0] : gid[100] egid[10]
$ ts
uid[501] euid[0] : gid[100] egid[10]
It appears this is due to race conditions, because when it is run traced.
$ strace ts
uselib("/lib/ld.so") = 0
stat("/etc/ld.so.cache", [dev 8 7 ino 59310 nlnks 1 ...]) = 0
open("/etc/ld.so.cache", RDONLY, 27777775004) = 3
mmap(0, 879, READ, SHARED, 3, 0) = 0x40000000
close(3) = 0
uselib("/lib/libc.so.4.5.19") = 0
munmap(0x40000000, , 879, ) = 0
munmap(0x62f00000, , 16384, ) = 0
brk(0) = 0x2000
getegid() = 100
getgid() = 100
geteuid() = 501
getuid() = 501
fstat(1, [dev 8 7 ino 73594 nlnks 1 ...]) = 0
brk(5000) = 0x5000
brk(6000) = 0x6000
ioctl(1, TCGETS, 0xbffff6ec) = 0
write(1, "uid[501] euid[501] : gid[100] eg".., 40uid[501] euid[501] : gid[100] egid[100]
) = 40
exit(40) = ?
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+
