From: Sjoerd Mullender <Sjoerd.Mullender@cwi.nl>
>Do not install these scripts. There is a inherent security risk in
>setuid shell scripts, whether they be for sh or for csh or for any
>other interpreter. Given a setuid script it is trivial to become root
>(if you know how) and there is nothing you can do to prevent that.
>Make a C program instead that does what the script is supposed to do.
There is an inherent security risk only from people who can login to
the system (or somehow otherwise run programs, tho most other holes
make it hard to discover there's even such a script unless they know
it's there.)
It does little or nothing to help people break into your system if
they don't have an account (or, if they do, you have other serious
problems), so the opportunity is only open to people who can already
log into your system (or otherwise run arbitrary programs on your
system.)
If the machine is not used by random strangers likely to do hostile
things then it's probably not a major concern.
And even a C program has to be written with a good deal of care to be
secure running setuid (like refusing to open a file which is really a
symlink to a system file and carefully checking its path etc., I could
turn your system into cream cheese in a few minutes with a naively
written mount/unmount setuid C program.) So that's not good advice as
a throw-away line at all.
Sorry, but I see this advice given blindly all the time and it's
neither that simple nor really that good as it scares perfectly
honest, cooperative people on internal systems. Your co-workers could
rifle your desk and files, whisper scandals in your boss's ear about
you, but leave the possibility of their breaking into their own
desktop system....no, can't have that!
Anyhow, sorry, it just strikes me as oversimplified and possibly real
bad advice in some cases (what if everyone who uses the system knows
the root passwd anyhoe? I have one system I help run that's like that,
but it's still convenient to have a few setuid scripts to do things
like this.)
Not everyone runs big, anonymous student systems or whatever where
there are guarnteed to be bad apples (actually, I run one of the
biggest and most anonymous unix systems on the planet, and no, I
wouldn't put a setuid script on it.)
I don't apologize for posting this, it's not a flame, it's my advice
from over 15 years of experience administering Unix systems. I think
it's reasonable tho to counter what one sees as possibly bad or
ill-directed advice.
-Barry Shein
Software Tool & Die | bzs@world.std.com | uunet!world!bzs
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:40 CDT