KSH: Help sought getting wrapper code to work in set-uid mode

KSH: Help sought getting wrapper code to work in set-uid mode

Post by lvir.. » Thu, 01 Apr 2004 01:44:19



A local wrapper application has started to fail.  I am trying to figure out
how to get it to work again.

The wrapper is designed to provide a cross platform layer.  The code
takes a look at uname's output, then constructs a pathname to the real
application, based on the output of uname.

It then does an
exec $newpath $arguments
type invocation to the appropriate application.

What we are seeing is that this works fine when invoked from normal scripts.
But if the script that invokes the wrapper is setuid, the effective
userid is being lost.

The peculiar thing is that this wrapper has not been modified for more
than 4 months.  It has been working daily.  The ksh that it uses hasn't
been changed for a year.

But in the past week or two, we started getting errors indicating that
the set-uid case was losing the different effective user-id.
If we change the script to skip the wrapper, and invoke the architecture
specific binary directly, things work just fine.  It would just mean
that we would have to expand the number of scripts we have - one for
each platform.

Is anyone familar with what kinds of conditions might cause ksh to throw
away set-uid bits - or at least what kinds of things I need to do in a ksh
script to ensure that the effective and real user-id gets passed along
to the binary being exec'd ?
--
<URL: http://wiki.tcl.tk/ > In God we trust.
Even if explicitly stated to the contrary, nothing in this posting
should be construed as representing my employer's opinions.

 
 
 

KSH: Help sought getting wrapper code to work in set-uid mode

Post by Heiner Steve » Sun, 04 Apr 2004 04:39:03



> A local wrapper application has started to fail.  I am trying to figure out
> how to get it to work again.

[...]
Quote:> What we are seeing is that this works fine when invoked from normal scripts.
> But if the script that invokes the wrapper is setuid, the effective
> userid is being lost.

[...]

Does the wrapper script start with the line

     #! /bin/ksh -p

or

     #! /usr/bin/ksh -p

? At least Solaris requires the option "-p", otherwise
the script will not honour the setuid bit.

Heiner
--
  ___ _

\__ \  _/ -_) V / -_) ' \    Shell Script Programmers: visit
|___/\__\___|\_/\___|_||_|   http://www.shelldorado.com/

 
 
 

KSH: Help sought getting wrapper code to work in set-uid mode

Post by lvir.. » Sun, 04 Apr 2004 20:04:50



:? At least Solaris requires the option "-p", otherwise
:the script will not honour the setuid bit.

Here's the chain of how things work.

Top level:

setuid script with #! /path/to/special perl wrapper
special perl wrapper with normal permissions and #! /bin/ksh
        which sets up paths and then calls binary perl file

--
<URL: http://wiki.tcl.tk/ > In God we trust.
Even if explicitly stated to the contrary, nothing in this posting
should be construed as representing my employer's opinions.

 
 
 

1. set-uid wrapper in C

A while back I read somewhere that when you write a C program to
function as a set-uid wrapper around a command, you should use
execl() rather than system().  Apparently there is some security
risk inherent in the use of system().

Could someone elaborate on just what this is?  My reason isn't
to try and exploit any such hole, but to be able to explain
to my colleage why I'm using execl() rather than system() when
system() is actually easier to implement (because it allows
me to do more than one thing in the program without having
to fork(), etc..   i.e. with system() I could just have a
series of system() calls to do the things I want to do.

Thanks in advance.
Bill

--
These are my opinions, not those of my employer.

2. Lexmark Z11 problems

3. suidcgi - a set UID wrapper for CGI scripts.

4. can't connect to localhost for news using Leafnode

5. set uid with a c wrapper confusion

6. Question: does alpha have HALT mode to reduce power consumption ?

7. SET-UID not working?

8. virtual host kills robot

9. setuid help on 2.6; can't set UID and EUID not working!

10. Help sought getting man to work

11. Need Help on setting up getty for dial-ins

12. set UID , doesn't work ?

13. Set user id (uid) on execute in chmod not working?