Quote:>Hello, netters, I have some concerns about security that I would like
>addressed.
>My program is a setuid program (chmod 4755, but not root owned)...
> Did I open any security holes with this approach?
...
You've opened up the ID that program is owned by. If that ID is 'daemon'
or bin, you've most likely opened up the system (who owns /etc on your
machine, for example).
Attached to this message is a list of items to do when writing setuid
programs. The list is adapted from: "How To Write a Setuid Program",
Matt Bishop, ;login:, Vol. 12, No. 1, Jan/Feb, 1987. A longer version is
available: RIACS TR 85.6, NASA Ames Research Center, Moffett Field, CA
94035. Versions appear in various UNIX security books:
1. Isolate code which needs to be run setuid or setgid in a separate
executable or function when possible.
2. Reset userid and groupid to that of the person running the program as soon
as possible.
3. Be as restrictive as possible in selecting the UID and GID.
4. Reset effective UID and GID and close all unnecessary file descriptors
before calling exec, popen, system and any other command that invokes
another process.
5. Carefully validate any user supplied arguments to exec, system or
popen.
6. Make no assumptions about environment variables. At a minimum, verify
or override PATH, IFS and SHELL. In some versions of UNIX, overriding
environment variables for shared libraries such as LD_LIBRARY_PATH and
LD_PRELOAD on SUN is also necessary.
7. It is not safe to use creat or functions that use creat for locking.
8. Catch ALL signals except SIGKILL and SIGCLD.
9. Check all function returns for errors and abort execution if necessary.
10. Programs interrupted during file creation can leave a file owned by
the effective user rather than the real user. A creat followed by a chown
is not 100% safe.
11. Strip the program and install it with other mode "1" so strings cannot
be used on it.
12. Consider logging program name, real uid, tty and time executed.
--
Alchemical Engineer and Virtual Realist
--
Alchemical Engineer and Virtual Realist