perl5: no /dev/fd -> insecure #! ?

perl5: no /dev/fd -> insecure #! ?

Post by Mathias Koerb » Fri, 28 Oct 1994 12:44:08





| ) Hi, I am just trying to compile perl5.000 on my linux box (Slackware 1.2),
| ) and Configure guesses that setuid #! scripts  are not secure, with the
| ) reasoning that the /dev/fd directory is missing???
| )
| ) I might be ignorant, but what does /dev/fd have to do with #! scripts?

| So, how do you think SUID scripts became secure?

| ) any enlightenment anywhere?

| Did you read this part of the code in Configure?
| Yeah, I know, when dist makes Configure it doesn't
| include any of the comments.

| SUID shell scripts are insecure on systems where
|    
|     $ head -1 hole
|     #!/bin/sh
|     $ ./hole

| results in something like

|     $ /bin/sh ./hole

| (but with a different UID).

| The kernel sees that "./hole" is SUID but by
| the time /bin/sh gets into memory and looks
| up "./hole" it could have been replaced, via
| mv, by some other code (and so "./hole" isn't
| SUID anymore but /bin/sh doesn't recheck this).

| As far as I know (having Configure test for
| secure SUID scripts is brand new), kernels
| with not-known-to-be-insecure (I won't say
| "secure") SUID scripts do something more like:

|     $ exec 3<./hole
|     Check if opened file is SUID, if so
|     $ /bin/sh /dev/fd/3

| so that we know that the file tested for SUID
| and the script /bin/sh opens are really the
| same [since opening /dev/fd/3 just dup()s the
| already-open file descriptor 3].

| If you would like the message reworded somehow,
| please offer any suggestions you have.

Ah, one never stops learning. Now I wonder. Since my Linux doesn't
have /dev/fd, it has no secure SUID #!?

Linus?

| ---

|              Nothing is obvious unless you are overlooking something

--
Mathias Koerber                                      Tel: +65 / 778 00 66 x 29
SW International Systems Pte Ltd                          Fax: +65 / 777 94 01

S'pore 0511       <A HREF=http://www.swi.com.sg/public/personal/mk.html>MK</A>
        The Vatican has the highest population of popes:        5.2 / m^2

 
 
 

perl5: no /dev/fd -> insecure #! ?

Post by Fergus Henders » Tue, 01 Nov 1994 04:45:18



>Ah, one never stops learning. Now I wonder. Since my Linux doesn't
>have /dev/fd, it has no secure SUID #!?

Linux does have the equivalent of /dev/fd, except it is called /proc/self/fd.
You can add a symlink if you want.

Linux doesn't have secure setuid scripts, instead it does not honour
the setuid bit on scripts.  I have an old patch (against 0.99.6 or
thereabouts) which adds support for secure setuid scripts via /proc/self/fd,
if anyone wants it.

--


 
 
 

1. HELP: 2>&1 > /dev/null != 2>&- > /dev/null ???

In /bin/sh, I tried to redirect the standard error and standard output to
/dev/null.

I still has the error message from the following command:

        ls /xyz 2>&1 > /dev/null

but not from the following command:

        ls /xyz 2>&- > /dev/null

I thought >&1 is the same as >&-. Any comments are appreciated.

Thank you.

Larry

2. Lexmark WinWriter 200 vs. Linux

3. >/dev/msglog 2<>/dev/msglog </dev/console

4. 'term' experts

5. Linux & IR?

6. -*perl5.001->perl5.003 kernel 2.0.7

7. Shared Memory using mmap

8. Is /dev/fd redundant to /proc/self/fd ?

9. warning:dev (04:C0) tty->count(2) !=#fd's(3) in tty_open

10. Warning: dev (03:01) tty->count(2) != #fd's(1) in do_tty_hangup ??

11. Warning: dev (04:c0) tty->count(1) != #fd's(2) in tty_open

12. Warning: dev (04:c3) tty->count(1) != #fd's(2) in do_tty_hangup