Weird behaviour with suid scripts on Solaris

Weird behaviour with suid scripts on Solaris

Post by Fletcher Glen » Thu, 19 Feb 1998 04:00:00



I'm amazed that your script works at all.  AFAIK suid does not
extend the authority of the file owner to any programs called
by a script.  If it did, there would be one enormous security hole.
Think about what would happen if one of the called programs were
replaced with a malicious program.

--
                Fletcher Glenn

                To email: remove "notforspam" from my return address


> I have found a weird problem regarding suid scripts on Solaris
> (both 2.5.X and 2.6).  Basically, I have an suid executable
> that calls a csh script (yes, I know, csh is not a good shell
> for scripts, but I inherited this legacy application).  If the
> executable is installed with suid root, it works fine in csh
> as well as sh and ksh.  If the application that calls the
> shell script is installed with suid bin, it doesn't work at
> all.  If the application is installed with suid to a regular
> user, then it works fine for sh and ksh, but you get a "csh:
> Permission denied" error with csh.

> Below is a uuencoded, compressed tar file that contains a
> sample C program, some scripts, and a detailed README file
> to reproduce the problem.  Has anyone seen this before?  Is
> it a bug or a feature?  BTW, this works just fine on SunOS
> 4.1.X (where our application currently runs).

> Alfred

>                     Name: suid_test.tar.Z
>       Part 1.2      Type: Compressed Data (application/x-compress)
>                 Encoding: x-uuencode

> --
> +------------------------------------------------------------+
> | Phone: H: 978.448.6214, W: 508.490.6306, fax: 508.460.2888  \
> |  Mail: Alfred von Campe, 402 Lowell Road, Groton, MA 01450   \

> +----------------------------------+-----------------------------+
> | Why is common sense so uncommon? | I'd rather be flying N4381Q |
> +----------------------------------+-----------------------------+

 
 
 

Weird behaviour with suid scripts on Solaris

Post by Casper H.S. Dik - Network Security Engine » Fri, 20 Feb 1998 04:00:00


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


Quote:>I have found a weird problem regarding suid scripts on Solaris
>(both 2.5.X and 2.6).  Basically, I have an suid executable
>that calls a csh script (yes, I know, csh is not a good shell
>for scripts, but I inherited this legacy application).  If the
>executable is installed with suid root, it works fine in csh
>as well as sh and ksh.  If the application that calls the
>shell script is installed with suid bin, it doesn't work at
>all.  If the application is installed with suid to a regular
>user, then it works fine for sh and ksh, but you get a "csh:
>Permission denied" error with csh.

Don't use C-shell scripts in conjunctions with set-uidness.

e.g., try
        setenv TERM '`/bin/sh -p>&/dev/tty</dev/tty`'

and see what happens when the C-shell gets invoked.

Also, your use of system is buggy too.

Anway, here's an explanation of the differences between SunOS 4.x
and Solaris 2.x in what you see:

First, we see the C program has:

                 setuid(geteuid());

In 4.x this sets the effective and real uid to the same value [euid].
In 2.x, this sets the *effective* uid to the specified value, except when
the user is root in which case the real uid is set that uid too.

So we have: 4.x (euid = uid = (root, bin, whatever)
            2.x (euid = uid = root ; or euid = bin, whatever, uid = invoker)

Now, the system calls works differently too because of how /bin/sh works.

If /bin/sh is called with euid != uid and euid <= 100, the euid is reset
to the uid.

So when you invoke as user bin, the shell scritps will run as user;
and thats' a good thing, since system()  is such a security problem.

Now, 3rd case, uid > 100, causes the ksh/sh script to run as the user
but csh prints "Permission denied" because that's what Csh does when
it is confronted with euid != uid.

Your code is in need of a great rewrite; it's fraught with security problems.

Casper

k

--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Weird behaviour with suid scripts on Solaris

Post by Alfred von Cam » Fri, 20 Feb 1998 04:00:00



|>Don't use C-shell scripts in conjunctions with set-uidness.

I agree with you 100%.  Actually, I would go as far as saying
don't use C-shell scrips at all -- use sh or ksh or better yet
Perl.  However, these csh scripts are part of the legacy code
I inherited and I don't want to rewrite them if I don't have
to (there are 30+ scripts in all).

|>Anway, here's an explanation of the differences between SunOS 4.x
|>and Solaris 2.x in what you see:

I think I understand your explanation, but it will take a little
more digesting and reading of the man page(s) to make sure I have
grok'ed it.

|>Your code is in need of a great rewrite; it's fraught with security problems.

I'm not worried about the security problems, since the suid
programs which call the csh scripts (and there is one program
for each csh script) are called by another program, and there
is a secret token passed between the two (it wouldn't be hard
to defeat this, but our users are not that sophisticated).  

All we are trying to do is to have a repository where all our
design data is saved, and the directories are only writable by
one particular uid.  Ergo the need for for our suid mechanism.

Is there a way to rewrite our program so that csh is not
confused by the uid/euid settings?  Maybe the answer lies
in the man pages which I have just lpr'ed...

Alfred
--
+------------------------------------------------------------+
| Phone: H: 978.448.6214, W: 508.490.6306, fax: 508.460.2888  \
|  Mail: Alfred von Campe, 402 Lowell Road, Groton, MA 01450   \

+----------------------------------+-----------------------------+
| Why is common sense so uncommon? | I'd rather be flying N4381Q |
+----------------------------------+-----------------------------+

 
 
 

Weird behaviour with suid scripts on Solaris

Post by Casper H.S. Dik - Network Security Engine » Fri, 20 Feb 1998 04:00:00


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


Quote:>I'm not worried about the security problems, since the suid
>programs which call the csh scripts (and there is one program
>for each csh script) are called by another program, and there
>is a secret token passed between the two (it wouldn't be hard
>to defeat this, but our users are not that sophisticated).  

Are you cleaning teh environment before calling teh C-shell scripts?

Quote:>Is there a way to rewrite our program so that csh is not
>confused by the uid/euid settings?  Maybe the answer lies
>in the man pages which I have just lpr'ed...

Cop-out solution (good only for 2.5+) is using setreuid(geteuid(),geteuid())
which will set the uids you want.

Or use csh -b (or was that -p) (and sh -p or -b)

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Weird behaviour with suid scripts on Solaris

Post by Michael R. Batchelo » Sat, 21 Feb 1998 04:00:00




Quote:> I'm not worried about the security problems, since the suid
> programs which call the csh scripts (and there is one program
> for each csh script) are called by another program, and there
> is a secret token passed between the two (it wouldn't be hard
> to defeat this, but our users are not that sophisticated).  

I hate to *in, but never, ever, ever rely on user ignorance as a
security measure. People are generally not stupid. You can rely on
interpersonal working relationships and mutual trust if you want to. I've
been in places where that works beautifully, but don't rely on ignorance.
 
 
 

Weird behaviour with suid scripts on Solaris

Post by BRANDON WILLIAM HU » Sat, 21 Feb 1998 04:00:00



: I hate to *in, but never, ever, ever rely on user ignorance as a
: security measure. People are generally not stupid. You can rely on

On the contrary, people are typically quite stupid.  They're just moderately
clever at figuring out means of doing so.

You can count on someone to eventually figure out any "security through
obscurity" measure, but you can equally count on them to NOT consider the
thought "Wow, if I exploit this, I could REALLY get in trouble".  :)

--
|   Brandon Hume aka "Hurricane" - hume at ug.cs.dal.ca & isisnet.com   |
|          "What was your username again?  *Clickity-click*"            |

 
 
 

Weird behaviour with suid scripts on Solaris

Post by Alfred von Cam » Sat, 21 Feb 1998 04:00:00



|>Or use csh -b (or was that -p) (and sh -p or -b)

Using "#!/bin/csh -fb" as the first line of our scripts works just
fine for our purposes.  Thanks for the hint, and for the pointer to
setreuid(), as well as the explanation of the different behaviors
between SunOS 4.X and Solaris 2.X in regards to suid.

Alfred
--
+------------------------------------------------------------+
| Phone: H: 978.448.6214, W: 508.490.6306, fax: 508.460.2888  \
|  Mail: Alfred von Campe, 402 Lowell Road, Groton, MA 01450   \

+----------------------------------+-----------------------------+
| Why is common sense so uncommon? | I'd rather be flying N4381Q |
+----------------------------------+-----------------------------+

 
 
 

1. Weird shell script behaviour

Hi there

I have a strange problem with a shell script I'm writing that should
read the contents of all *.job files in a directory ...

A *.job file typically looks like this:

PRINTER test
FILE 1.pdf
FILE 2.pdf
FILE 3.pdf
FILE 4.pdf
FILE 5.pdf
FILE 7.pdf
FILE 9.pdf
ENDOFBATCH

When I run the script as shown below, it never gets to read the 2nd
word of each line (and that's the part that I'm interested in the
most). A colleague of mine suggested to add the line 'IFS= ' just
above 'for f in $(cat $i)', but when I do this, the script reads the
2nd column fine, but never gets in the FILE* part of the case.

Does anyone have a clue what I'm missing here?

#!/bin/ksh
for i in $(ls -t *.job)
do
        for f in $(cat $i)
        do
                secondfield=$(echo $f|cut -f2 -d' ')
                case $f in
                        PRINTER*)
                                echo "printer name is " $secondfield
                                ;;
                        FILE*)
                                echo "file name is " $secondfield
                                ;;
                        ENDOFBATCH)
                                echo "this is the last line of the
file"
                                ;;
                esac
        done
done

2. Port C++ from NT to Solaris

3. : Weird ">" redirect behavior vs. ">>" redirect behavior

4. Dos Connectivity

5. Weird open() behaviour on Solaris ?

6. Need advice on upgrading Slackware version...

7. Weird 'ls' behavior under Solaris 2.6

8. Where is AdminSuite 2.3 on Sol 8?

9. weird backspace behaviour in X-app running Solaris 2.6

10. Weird behaviour of signals under Solaris 2.4

11. Weird Solaris/Tru64 NFS behaviour

12. SUID flag on scripts in Solaris 2.5 BUG???

13. why don't my suid root shell scripts work under Solaris 2.5?