minimize use of root account
Matthew Seaman
matthew at FreeBSD.org
Sat Feb 20 09:42:26 UTC 2016
On 19/02/2016 21:11, Polytropon wrote:
>> I thought suid scripts were disabled years ago because they were a major
>> > security loophole?
> You're right - it's the case.
>
> % ll root_test.sh
> -rwsr-sr-x 1 poly poly 24 2016-02-19 19:25:20 root_test.sh*
>
> % cat root_test.sh
> #!/bin/sh
> id -u
> whoami
>
> % ./root_test.sh
> 2000
> poly
>
> % sudo ./root_test.sh
> 0
> root
>
> I think this is fully intended.
Although 'no setuid scripts' is pretty well embedded in the Unix psyche,
I was under the impression the underlying problem had been fixed some
time ago.
The problem with a setuid script is that there is a window of
opportunity between the system opening the script, parsing the #! line,
firing up the appropriate interpreter and having that *reopen* the
script to execute it -- if you can replace the script at just the right
time, you can get anything executed with root permissions.
This was solved, as I recall, by the system passing its already open
file descriptor on the original script to the interpreter. That
requires the fdescfs pseudo-filesystem to be mounted, which populates
/dev/fd. You need the full fdescfs mounted -- devfs only gives you
filedescriptor devices for stdin, stdout and stderr for a process, and
that's not enough.
Even so, irrespective of fdescfs being mounted or not, it seems setuid
scripts are still disallowed.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160220/79b0ec8f/attachment.sig>
More information about the freebsd-questions
mailing list