From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id d03df20a for ; Tue, 6 Aug 2019 09:56:40 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id ABD459BA1D; Tue, 6 Aug 2019 19:56:39 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 8F06294BBB; Tue, 6 Aug 2019 19:56:11 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 3E2C794BBB; Tue, 6 Aug 2019 19:55:49 +1000 (AEST) Received: from freefriends.org (freefriends.org [96.88.95.60]) by minnie.tuhs.org (Postfix) with ESMTPS id 969009491E for ; Tue, 6 Aug 2019 19:55:48 +1000 (AEST) X-Envelope-From: arnold@skeeve.com Received: from freefriends.org (freefriends.org [96.88.95.60]) by freefriends.org (8.14.7/8.14.7) with ESMTP id x769tjT6005805 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 6 Aug 2019 03:55:46 -0600 Received: (from arnold@localhost) by freefriends.org (8.14.7/8.14.7/Submit) id x769tjAv005804; Tue, 6 Aug 2019 03:55:45 -0600 From: arnold@skeeve.com Message-Id: <201908060955.x769tjAv005804@freefriends.org> X-Authentication-Warning: frenzy.freefriends.org: arnold set sender to arnold@skeeve.com using -f Date: Tue, 06 Aug 2019 03:55:45 -0600 To: tuhs@tuhs.org, jason-tuhs@shalott.net References: <1564954057.6926.for-standards-violators@oclsc.org> In-Reply-To: User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [TUHS] Set-uid shell scripts X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" jason-tuhs@shalott.net wrote: > > A related problem is the inherent race condition: > > If you do > > ln -s /bin/setuidscript . > > ./setuidscript > > ./setuidscript is opened twice: once when the kernel > > reads it and finds #! as magic number and execs the > > interpreter, a second time when the interpreter opens > > ./setuidscript. If you meanwhile run something that > > swoops in in the background and replaces ./setuidscript > > with malicious instructions for the interpreter, you > > win. > > This was always described to me as the canonical reason why setuid > interpreted scripts were a security hole, irrespective of any specifics > in the shell or other interpreter. > > However, there's a workaround: use fdescfs. fdescfs allows the kernel to > open the script, and then pass the fdescfs path for the (already open) > descriptor to the interpreter as the command to run. I'm guessing by this you files like /dev/fd/42. > According to https://www.in-ulm.de/~mascheck/various/shebang/#setuid, this > is supported by many systems, including Solaris, several BSDs, and OSX > (with a sysctl). There's a historical disconnect here. Setuid scripts were disabled in the mid- to late 80s. /dev/fd didn't hit the commercial Unix world until SVR4 in 1989, and didn't get into the other systems you mention until even later. So yes, that might have worked, but the solution came along too late. Arnold