Bugtraq mailing list archives
Re: setuid scripts in SunOS 4.1.x
From: karl () bagpuss demon co uk (Karl Strickland)
Date: Sat, 24 Sep 1994 15:40:33 +0100 (BST)
The best solution is to make sure you don't have suid shell scripts Cops does a fine job in finding them for you so does: find / \( -type d -fstype nfs -prune \) -o -type f \( -perm -4001 -o -perm -4010 -o -perm -4100 -o -perm -2100 -o -perm -2010 -o -perm -2001 \) If I remeber correctly SunOS 4.1.x is just one of those UNIX systems that allows suid shell scripts. I don't think this will be 'fixed'. But you can always try to mail security-alert () Sun COM.Of course you can always mount your filesystems `nosuid'.The "correct" thing to do is to patch kern_exec.c (kern_exec.o). This is nontrivial if you don't have source. It's trivial if you do (I don't). No one has done this publically as of yet. Thinking about it, I wonder if the BSD kern_exec is "good enough". If so, perhaps it could be substituted. Anyone? (Casper?)
Its not trivial, I think there are a lot of subtle differences. I understand SunOS 4.1.x's kern_exec.o is based on the BSD 4.3 version (@(#)kern_exec.c 7.1 (Berkeley) 6/5/86) but a lot must have changed for SunOS. Eg: 1. BSD 4.3 uses inodes for pathname lookups/file access; SunOS uses vnodes. Their corresponding different operations (eg rdwri() & vn_rdwr()) have different interfaces. [Maybe one of the later 4.3BSD's (reno?) which incorporate vnodes might be easier to start from..] 2. BSD 4.3 pathname lookups use namei(), SunOS uses pn_get() & lookuppn(). 3. BSD 4.3 has no concept of 'nosuid' mounted filesystems. 4. On SunOS, the exdata struct is part of the user struct, on BSD 4.3 its just local to execve(), and - just to make it more fun :) - all the corresponding field names are different. 5. SunOS execve() must have support for other SunOS specific bits that BSD 4.3 doesnt have, like support for trace(1), asynch io & fcntl(2) style record locks. etc etc etc. In short I dont think it could be attempted without access to SunOS source - and obviously the people with access have no reason to attempt it! Maybe if enough people scream Sun will put out a patched kern_exec.o, or at least allow someone else to do it. ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl () bagpuss demon co uk |
Current thread:
- Re: setuid scripts in SunOS 4.1.x Richard Huddleston (Sep 21)
- <Possible follow-ups>
- Re: setuid scripts in SunOS 4.1.x Peter Jeremy (Sep 22)
- Re: setuid scripts in SunOS 4.1.x Colin Campbell (Sep 23)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 22)
- Re: setuid scripts in SunOS 4.1.x Karl Strickland (Sep 24)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 26)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 26)
- Re: setuid scripts in SunOS 4.1.x Harold van Aalderen (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Rafi Sadowsky (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Paul O'Donnell (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 27)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Valdis.Kletnieks () vt edu (Apr 17)
- Re: setuid scripts in SunOS 4.1.x jmc () gnu ai mit edu (Sep 28)
- request Michel JACQUOT (Sep 29)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 22)