Re: SUID permission on Bash script



RW wrote:
So are scripts actually incapable of running setuid?

They aren't on Linux. I learned about that a while back when I investigated setuid scripts for a coworker.

It's not that setuid shell scripts are really more inherently insecure than programs written in C. The problem is more that those who write such scripts tend not to observe the proper precautions.

For example if you don't set the PATH explicitly, and you don't give absolute pathnames to all the subprograms you run, then a trojan that has the same name as some standard program can get run as root.

If a program is going to be setuid at all, you really have to know what you're doing when you write it or else you'll find yourself opening a can of worms.

Mike
--
Michael David Crawford
mdc@xxxxxxxxx

prgmr.com - We Don't Assume You Are Stupid.

Xen-Powered Virtual Private Servers: http://prgmr.com/xen
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: CGI security on a shared web server (fwd)
    ... >> support setuid scripts ... I don't see why someone would suEXEC setuid perl scripts. ...
    (SecProg)
  • Re: setuid and secondary group on HPUX
    ... > I wrote a program which will setuid to a user and then run a script. ... > I start the program as root then setuid to user test, ... > scripts testll3. ... You need to account for the needed group permission by changing your setgid to ...
    (comp.sys.hp.hpux)
  • Re: SetUID shell/perl scripts.
    ... > freeBSD doesn't support setuid shell scripts. ... In FreeBSD, it is enabled and such scripts work. ... # chmod 511 /usr/bin/suidperl ...
    (FreeBSD-Security)
  • Re: [sh] How can function find invoking line # ?
    ... that support setuid bits on scripts (you could get a setuid ... script to run a ksh with escalated priviledges and have it run a ... on which systems are setuid scripts still possible? ...
    (comp.unix.shell)
  • Re: bash -p option doesnt work for me
    ... Most modern OSs do not allow setuid ... you appear to be right about Linux. ... say that "it doesn't allow setuid shell scripts", because, as your text ...
    (comp.unix.shell)