[9073] in bugtraq
Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux
daemon@ATHENA.MIT.EDU (Jan B. Koum)
Fri Jan 15 12:54:38 1999
Date: Fri, 15 Jan 1999 00:14:01 -0800
Reply-To: "Jan B. Koum" <jkb@BEST.COM>
From: "Jan B. Koum" <jkb@BEST.COM>
X-To: Brian McCauley <B.A.McCauley@BHAM.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <u9ogo1u47c.fsf@wcl-l.bham.ac.uk>; from Brian McCauley on Thu,
Jan 14, 1999 at 05:58:15PM +0000
This WAAAY far from it been a news. In FreeBSD mount man page
we can read:
nosuid Do not allow set-user-identifier or set-group-identifier
bits to take effect. Note: this option is worthless if a
public available suid or sgid wrapper like suidperl(1) is
installed on your system.
This man page has been in public domain for a long time too. :)
-- Yan
On Thu, Jan 14, 1999 at 05:58:15PM +0000, Brian McCauley <B.A.McCauley@BHAM.AC.UK> wrote:
> The following message is a courtesy copy of an article
> that has been posted to comp.os.linux.misc,comp.os.linux.development.system,comp.lang.perl.misc as well.
>
> The suid script emulation in Perl 5.0004_4 (as found in SuSE Linux 5.3
> and doubtless other Linux distributions) fails to take account of the
> nosuid mount option on filesystems.
>
> This means that it is trivial for a resourceful user to hide a setuid
> perl script on a CD or floppy and then use it to become root. Many
> systems are (even by default) configured to allow users mount floppys
> and CDs nosuid.
>
> The most obvious fix to Perl for this would be (where available) to
> use fstatvfs() (as defined in SUSv2) to determine if the script is on
> a filesystem that is mounted with the nosuid option.
>
> Unfortunately fstatvfs() is not implemented in Linux (as of 2.2pre1).
> It would not be difficult to add the new system call. Indeed the
> existing fstatfs() implementation could simply be modified to
> implement fstatvfs() semantics and both syscalls could then point to
> the same code.
>
> This vulerability will exist in all Unicies that use a user-space
> implementation of suid-scripts and impelment a nosuid mount option in
> such a way that it does not modify the values returned by fstat().
>
> It is worth noting that that other suid-aware script-interpreters will
> probalby also display this vulnerability on Linux because of the
> absense of fstatvfs().
>
> --
> \\ ( ) No male bovine | Email: B.A.McCauley@bham.ac.uk
> . _\\__[oo faeces from | Phones: +44 121 471 3789 (home)
> .__/ \\ /\@ /~) /~[ /\/[ | +44 121 627 2173 (voice) 2175 (fax)
> . l___\\ /~~) /~~[ / [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
> # ll l\\ ~~~~ ~ ~ ~ ~ | http://www.wcl.bham.ac.uk/~bam/
> ###LL LL\\ (Brian McCauley) |
