Bugtraq mailing list archives
Re: Setuid programs run from shell scripts?
From: ruf@SPi (Justin J. Lister)
Date: Sat, 19 Nov 1994 05:39:47 +1100 (EST)
"Michael Neuman wrote:"
This is a nice security feature, but is it a bug?
$ cat suid.c #include <stdio.h> main() { printf("euid==%d ruid==%d\n",geteuid(), getuid()); } $ ls -l suid -rwsr-xr-x 1 root 24576 Nov 8 13:27 suid* $ suid euid==0 ruid==100 $ cat testscript2 #!/path_to_suid/suid foo $ testscript2 euid==100 ruid==100 ------
Shouldn't suid run as root under the "script"?
(This is on SunOS 4.1.3_U1B)
Works as you expected on linux. $ uname -a Linux SPi 1.1.4 #3 Sat Jun 11 14:03:08 EST 1994 i486 $ id uid=501(ruf) gid=100(users) $ cat suid.c # include<stdio.h> void main(void){ printf("uid[%d] euid[%d] : gid[%d] egid[%d]\n",getuid(), geteuid(), getgid(), getegid()); } $ ls -l suid -rwsr-sr-x 1 root wheel 15971 Nov 19 05:24 suid $ cat ts #!suid $ suid uid[501] euid[0] : gid[100] egid[10] $ ts uid[501] euid[0] : gid[100] egid[10] It appears this is due to race conditions, because when it is run traced. $ strace ts uselib("/lib/ld.so") = 0 stat("/etc/ld.so.cache", [dev 8 7 ino 59310 nlnks 1 ...]) = 0 open("/etc/ld.so.cache", RDONLY, 27777775004) = 3 mmap(0, 879, READ, SHARED, 3, 0) = 0x40000000 close(3) = 0 uselib("/lib/libc.so.4.5.19") = 0 munmap(0x40000000, , 879, ) = 0 munmap(0x62f00000, , 16384, ) = 0 brk(0) = 0x2000 getegid() = 100 getgid() = 100 geteuid() = 501 getuid() = 501 fstat(1, [dev 8 7 ino 73594 nlnks 1 ...]) = 0 brk(5000) = 0x5000 brk(6000) = 0x6000 ioctl(1, TCGETS, 0xbffff6ec) = 0 write(1, "uid[501] euid[501] : gid[100] eg".., 40uid[501] euid[501] : gid[100] egid[100] ) = 40 exit(40) = ? -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf () cs uow edu au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+ -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf () cs uow edu au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+
Current thread:
- just bitten by the babbling talk's Eric Berggren (Nov 08)
- Re: just bitten by the babbling talk's Steinar Haug (Nov 09)
- /dev/ttyd crashes SunOS? Dave Horsfall (Nov 10)
- Re: /dev/ttyd crashes SunOS? Dave Horsfall (Nov 14)
- Setuid programs run from shell scripts? Michael Neuman (Nov 14)
- Re: Setuid programs run from shell scripts? Fred Blonder (Nov 15)
- Re: Setuid programs run from shell scripts? Quentin Fennessy (Nov 15)
- Re: Setuid programs run from shell scripts? Karl Strickland (Nov 16)
- Re: Setuid programs run from shell scripts? Julian Assange (Nov 17)
- Re: Setuid programs run from shell scripts? Justin J. Lister (Nov 18)
- archives Matthew Harding (Nov 25)
- archives of this list Matthew Harding (Nov 25)