suid root - bash script

Thu Apr 23 13:22:43 IDT 2009

Hi Yedidyah,

See below

On Thu, Apr 23, 2009 at 12:34 PM, Yedidyah Bar-David
<linux-il at didi.bardavid.org> wrote:
> Hi Noam,
>
> On Thu, Apr 23, 2009 at 12:08:21PM +0300, Noam Rathaus wrote:
>> Hi Yedidyah,
>>
>> This "stupid" - in my opinion - restriction also applies to perl script.
>
> This is a free country, you know. You are entitled have your own
> opinion. As I exaplained below, the main problem with setuid scripts is
> irrespective of interpreter, be it /bin/sh, perl, or your own binary for
> whatever language you invented.
>
>>
>> And there they also recommend using a C program that will be setuid
>> that will run the  perl script.
>
> Indeed. Or use sudo (which is the same, only general).
>
>>
>> This is of course an over-complicated manner of doing things,
>
> I guess there are other ways to do this, but that's how it is in unix.
> As far as I know, Windows does not have something similar at all - if
> you want there to run some program as another user, you have to do much
> more than setuid it.

Windows has the Run As service which does something similar, its a bit
more.. complex, but it allows you to do what you mentioned. I am
skipping on Windows' ability to run Service as other users :)

>
>> not to
>> mention the fact that if this perl script or c program wrapper is then
>> called from Apache the restriction still applies and I haven't been
>> able to get around it.
>
> I did not understand what exact restriction you talk about, what you
> tried to achieve and what was the problem. If you want anyone to try and
> help you, please provide some more details.

My scenario is this:
1) Apache runs a perl (which needs to be setuid => it changes IP addresses, etc)
2) This perl needs to call another perl responsible for updating the
sytem => and managing that it works correctly
3) This perl runs several other Perl scripts that are also setuid as
they replace files

When apache tries to execute the perl's line which says:
system("/usr/local/bin/update.pl")

I get the setuid warning that I need to put a wrapper

I then did:
system("/usr/local/bin/update")

Where update

Just executes update.pl

Both update (written in C) and update.pl (written in perl) are setuid root.

I still get the warning

Thanks for the help.

>
> Best,
> --
> Didi
>
>> On Thu, Apr 23, 2009 at 11:54 AM, Yedidyah Bar-David
>> <linux-il at didi.bardavid.org> wrote:
>> > On Thu, Apr 23, 2009 at 11:31:38AM +0300, Shachar Shemesh wrote:
>> >>
>> >> Oron Peled wrote:
>> >>>
>> >>> There's a reason why the kernel does not respect suid/sgid bit on shell
>> >>> scripts -- It's because there are gazillions of ways a user can use
>> >>> this script to gain total root access.
>> >>>
>> >> Name two?
>> >
>> > The main famous one, inherent in the way scripts work, is that the
>> > kernel has to look at the first line of the script, run the interpreter
>> > mentioned there with the args provided, and this interpreter then runs,
>> > looks at the script, and decides what to do. Running the interpreter
>> > takes time, and so an attacker can make a symlink to it, run the
>> > symlink, and replace it immediately, and have a chance to make the
>> > interpreter run the attacker's version instead of the original. This is
>> > different from running a binary directly, where the kernel knows where
>> > it was and won't have to look again if you tried replacing a symlink to
>> > it.
>> >
>> >>>
>> >>> Maybe writing a wrapper suid program that totally sanitize
>> >>> both the environment and command line arguments before
>> >>> exec'ing the script would make it. Although I wouldn't bet
>> >>> on it since it only covers the obvious attack vectors against
>> >>> shell scripts.
>> >>>
>> >> Fine. Make the two cover these obvious vectors, one each.
>> >>
>> >> I have to say that I first heard about this restriction, I thought it
>> >> made a lot of sense. Since then, I have searched for these famed attack
>> >> vectors, and have come up short.
>> >
>> > Well, I now googled for 'setuid scripts security' and found this FAQ:
>> > http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
>> > It also mentions other, more-specific issues.
>> >
>> >> Sure, if the script itself has security
>> >> holes, then a suid script will be vulnerable. As I'm sure you know well,
>> >> this is also true of C written code, however.
>> >
>> > Indeed, but there are some differences - usually, finding bugs in
>> > scripts is easier (especially if you do not have the sources for the
>> > C-coded binary), and in the past there used to be bugs in various
>> > interpreters of various OSes. The last point is hopefully less relevant
>> > today, but so are setuid-scripts (I think no modern unix respects
>> > these).
>> >
>> >>
>> >> So my question is: are there attack vectors against the following script?
>> >>
>> >> #!/bin/sh -e
>> >>
>> >> echo "Hello, cruel world"
>> > --
>> > Didi
>> >
>> >
>> > _______________________________________________
>> > Linux-il mailing list
>> > Linux-il at cs.huji.ac.il
>> > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>> >
>> >
>
>