Bugtraq mailing list archives
Re: Setuid programs run from shell scripts?
From: ruf@SPi (Justin J. Lister)
Date: Sat, 19 Nov 1994 05:39:47 +1100 (EST)
"Michael Neuman wrote:"
This is a nice security feature, but is it a bug?
$ cat suid.c
#include <stdio.h>
main() { printf("euid==%d ruid==%d\n",geteuid(), getuid()); }
$ ls -l suid
-rwsr-xr-x 1 root 24576 Nov 8 13:27 suid*
$ suid
euid==0 ruid==100
$ cat testscript2
#!/path_to_suid/suid
foo
$ testscript2
euid==100 ruid==100
------
Shouldn't suid run as root under the "script"?
(This is on SunOS 4.1.3_U1B)
Works as you expected on linux.
$ uname -a
Linux SPi 1.1.4 #3 Sat Jun 11 14:03:08 EST 1994 i486
$ id
uid=501(ruf) gid=100(users)
$ cat suid.c
# include<stdio.h>
void main(void){
printf("uid[%d] euid[%d] : gid[%d] egid[%d]\n",getuid(), geteuid(), getgid(), getegid());
}
$ ls -l suid
-rwsr-sr-x 1 root wheel 15971 Nov 19 05:24 suid
$ cat ts
#!suid
$ suid
uid[501] euid[0] : gid[100] egid[10]
$ ts
uid[501] euid[0] : gid[100] egid[10]
It appears this is due to race conditions, because when it is run traced.
$ strace ts
uselib("/lib/ld.so") = 0
stat("/etc/ld.so.cache", [dev 8 7 ino 59310 nlnks 1 ...]) = 0
open("/etc/ld.so.cache", RDONLY, 27777775004) = 3
mmap(0, 879, READ, SHARED, 3, 0) = 0x40000000
close(3) = 0
uselib("/lib/libc.so.4.5.19") = 0
munmap(0x40000000, , 879, ) = 0
munmap(0x62f00000, , 16384, ) = 0
brk(0) = 0x2000
getegid() = 100
getgid() = 100
geteuid() = 501
getuid() = 501
fstat(1, [dev 8 7 ino 73594 nlnks 1 ...]) = 0
brk(5000) = 0x5000
brk(6000) = 0x6000
ioctl(1, TCGETS, 0xbffff6ec) = 0
write(1, "uid[501] euid[501] : gid[100] eg".., 40uid[501] euid[501] : gid[100] egid[100]
) = 40
exit(40) = ?
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf () cs uow edu au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf () cs uow edu au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | Disclaimer: dreaming is at own risk |
+---------------------+--------------------------------------------------+
Current thread:
- just bitten by the babbling talk's Eric Berggren (Nov 08)
- Re: just bitten by the babbling talk's Steinar Haug (Nov 09)
- /dev/ttyd crashes SunOS? Dave Horsfall (Nov 10)
- Re: /dev/ttyd crashes SunOS? Dave Horsfall (Nov 14)
- Setuid programs run from shell scripts? Michael Neuman (Nov 14)
- Re: Setuid programs run from shell scripts? Fred Blonder (Nov 15)
- Re: Setuid programs run from shell scripts? Quentin Fennessy (Nov 15)
- Re: Setuid programs run from shell scripts? Karl Strickland (Nov 16)
- Re: Setuid programs run from shell scripts? Julian Assange (Nov 17)
- Re: Setuid programs run from shell scripts? Justin J. Lister (Nov 18)
- archives Matthew Harding (Nov 25)
- archives of this list Matthew Harding (Nov 25)