suid root - bash script
Yedidyah Bar-David
linux-il at didi.bardavid.org
Thu Apr 23 11:54:58 IDT 2009
On Thu, Apr 23, 2009 at 11:31:38AM +0300, Shachar Shemesh wrote:
>
> Oron Peled wrote:
>>
>> There's a reason why the kernel does not respect suid/sgid bit on shell
>> scripts -- It's because there are gazillions of ways a user can use
>> this script to gain total root access.
>>
> Name two?
The main famous one, inherent in the way scripts work, is that the
kernel has to look at the first line of the script, run the interpreter
mentioned there with the args provided, and this interpreter then runs,
looks at the script, and decides what to do. Running the interpreter
takes time, and so an attacker can make a symlink to it, run the
symlink, and replace it immediately, and have a chance to make the
interpreter run the attacker's version instead of the original. This is
different from running a binary directly, where the kernel knows where
it was and won't have to look again if you tried replacing a symlink to
it.
>>
>> Maybe writing a wrapper suid program that totally sanitize
>> both the environment and command line arguments before
>> exec'ing the script would make it. Although I wouldn't bet
>> on it since it only covers the obvious attack vectors against
>> shell scripts.
>>
> Fine. Make the two cover these obvious vectors, one each.
>
> I have to say that I first heard about this restriction, I thought it
> made a lot of sense. Since then, I have searched for these famed attack
> vectors, and have come up short.
Well, I now googled for 'setuid scripts security' and found this FAQ:
http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
It also mentions other, more-specific issues.
> Sure, if the script itself has security
> holes, then a suid script will be vulnerable. As I'm sure you know well,
> this is also true of C written code, however.
Indeed, but there are some differences - usually, finding bugs in
scripts is easier (especially if you do not have the sources for the
C-coded binary), and in the past there used to be bugs in various
interpreters of various OSes. The last point is hopefully less relevant
today, but so are setuid-scripts (I think no modern unix respects
these).
>
> So my question is: are there attack vectors against the following script?
>
> #!/bin/sh -e
>
> echo "Hello, cruel world"
--
Didi
More information about the Linux-il
mailing list