Bugtraq mailing list archives
Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux
From: jkb () BEST COM (Jan B. Koum)
Date: Fri, 15 Jan 1999 00:14:01 -0800
This WAAAY far from it been a news. In FreeBSD mount man page we can read: nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect. Note: this option is worthless if a public available suid or sgid wrapper like suidperl(1) is installed on your system. This man page has been in public domain for a long time too. :) -- Yan On Thu, Jan 14, 1999 at 05:58:15PM +0000, Brian McCauley <B.A.McCauley () BHAM AC UK> wrote:
The following message is a courtesy copy of an article that has been posted to comp.os.linux.misc,comp.os.linux.development.system,comp.lang.perl.misc as well. The suid script emulation in Perl 5.0004_4 (as found in SuSE Linux 5.3 and doubtless other Linux distributions) fails to take account of the nosuid mount option on filesystems. This means that it is trivial for a resourceful user to hide a setuid perl script on a CD or floppy and then use it to become root. Many systems are (even by default) configured to allow users mount floppys and CDs nosuid. The most obvious fix to Perl for this would be (where available) to use fstatvfs() (as defined in SUSv2) to determine if the script is on a filesystem that is mounted with the nosuid option. Unfortunately fstatvfs() is not implemented in Linux (as of 2.2pre1). It would not be difficult to add the new system call. Indeed the existing fstatfs() implementation could simply be modified to implement fstatvfs() semantics and both syscalls could then point to the same code. This vulerability will exist in all Unicies that use a user-space implementation of suid-scripts and impelment a nosuid mount option in such a way that it does not modify the values returned by fstat(). It is worth noting that that other suid-aware script-interpreters will probalby also display this vulnerability on Linux because of the absense of fstatvfs(). -- \\ ( ) No male bovine | Email: B.A.McCauley () bham ac uk . _\\__[oo faeces from | Phones: +44 121 471 3789 (home) .__/ \\ /\@ /~) /~[ /\/[ | +44 121 627 2173 (voice) 2175 (fax) . l___\\ /~~) /~~[ / [ | PGP-fp: D7 03 2A 4B D8 3A 05 37... # ll l\\ ~~~~ ~ ~ ~ ~ | http://www.wcl.bham.ac.uk/~bam/ ###LL LL\\ (Brian McCauley) |
Current thread:
- test-cgi - Re: HTTP REQUEST METHOD flaw monti (Jan 13)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Peter van Dijk (Jan 14)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Peter van Dijk (Jan 15)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Dr. Mudge (Jan 15)
- Secuity hole with perl (suidperl) and nosuid mounts on Linux Brian McCauley (Jan 14)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Jan B. Koum (Jan 15)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Ollivier Robert (Jan 18)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Jarkko Hietaniemi (Jan 18)
- Re: Secuity hole with perl (suidperl) and nosuid mounts on Linux Jan B. Koum (Jan 15)
- Re: test-cgi - Re: HTTP REQUEST METHOD flaw Peter van Dijk (Jan 14)
- security hole in Maximizer Mike Jones (Jan 14)
- AW: test-cgi Adrian Dabrowski (Jan 14)