[966] in bugtraq

home help back first fref pref prev next nref lref last post

Re: SUID shell scripts, questions?

daemon@ATHENA.MIT.EDU (David A. Wagner)
Fri Feb 10 21:57:20 1995

From: "David A. Wagner" <dawagner@phoenix.Princeton.EDU>
To: elfchief@lupine.org (That Whispering Wolf...)
Date: Fri, 10 Feb 1995 21:07:54 -0500 (EST)
Cc: bugtraq@fc.net
In-Reply-To: <199502101901.AA21735@lupine.org> from "That Whispering Wolf..." at Feb 10, 95 02:01:38 pm

> 
> SUID shell scripts are traditionally insecure in unix environments. [...]
> Also from my understanding, at least one Unix has solved this problem
> by making a /dev/fd filesystem, [...]
> 

Using the /dev/fd fs would remove the race condition, but the race
isn't the only problem with setuid shell scripts.

Unless the shell script writer is *very* careful (is it possible to
be careful enough?), one can play around with PATH or IFS.  If the
script calls any non-statically linked executables, I think one can
play around with LD_* variables on Suns.

Finally, I believe any setuid shell script written for csh is
irreparably broken: try

TERM='`/bin/echo + + >/.rhosts`' csh-script

There might be still more problems with setuid shell scripts which
I've forgotten; hopefully someone more knowledgeable than I will
point them out...

-------------------------------------------------------------------------------
David Wagner                                             dawagner@princeton.edu

home help back first fref pref prev next nref lref last post