[966] in bugtraq
Re: SUID shell scripts, questions?
daemon@ATHENA.MIT.EDU (David A. Wagner)
Fri Feb 10 21:57:20 1995
From: "David A. Wagner" <dawagner@phoenix.Princeton.EDU>
To: elfchief@lupine.org (That Whispering Wolf...)
Date: Fri, 10 Feb 1995 21:07:54 -0500 (EST)
Cc: bugtraq@fc.net
In-Reply-To: <199502101901.AA21735@lupine.org> from "That Whispering Wolf..." at Feb 10, 95 02:01:38 pm
>
> SUID shell scripts are traditionally insecure in unix environments. [...]
> Also from my understanding, at least one Unix has solved this problem
> by making a /dev/fd filesystem, [...]
>
Using the /dev/fd fs would remove the race condition, but the race
isn't the only problem with setuid shell scripts.
Unless the shell script writer is *very* careful (is it possible to
be careful enough?), one can play around with PATH or IFS. If the
script calls any non-statically linked executables, I think one can
play around with LD_* variables on Suns.
Finally, I believe any setuid shell script written for csh is
irreparably broken: try
TERM='`/bin/echo + + >/.rhosts`' csh-script
There might be still more problems with setuid shell scripts which
I've forgotten; hopefully someone more knowledgeable than I will
point them out...
-------------------------------------------------------------------------------
David Wagner dawagner@princeton.edu