Bugtraq mailing list archives

Re: SUID shell scripts, questions?

From: carson () lehman com (Carson Gaspar)
Date: Sat, 11 Feb 1995 18:38:00 -0500 (EST)


On Fri, 10 Feb 1995, Greg Woods wrote:

Or you can just create a symlink to a setuid script called "-i". Guess
what happens when the system executes "sh -i"? Don't even need the
race condition. And even without this, you could always overwrite the
SAME file with something new, so the fd doesn't change.


Attack #1 (symlink -i) fails under solaris.  The shell is invoked as:
/bin/sh /dev/fd/xxx

Attack #2 is only possible if you're dumb enough to leave a setuid 
program world-writeable.

--
Carson Gaspar -- carson () cs columbia edu carson () lehman com
<This is the boring business .sig - no outre sayings here>

Current thread:

SUID shell scripts, questions? That Whispering Wolf... (Feb 10)
- Re: SUID shell scripts, questions? Adam Shostack (Feb 10)
- Re: SUID shell scripts, questions? Greg Woods (Feb 10)
  - Re: SUID shell scripts, questions? Carson Gaspar (Feb 11)
  - Re: SUID shell scripts, questions? Fred Blonder (Feb 13)
  - IFS Dave Williss (Feb 13)
    - Re: IFS Karl Strickland (Feb 13)
    - Re: IFS Jas (Feb 13)
    - Re: IFS Paul Robinson (Feb 14)
    - Re: IFS David Barr (Feb 15)
    - Re: IFS Julian Assange (Feb 15)
    - Re: IFS Nate Sammons - CVL System Admin (Feb 15)
- Re: SUID shell scripts, questions? David A. Wagner (Feb 10)
  - Re: SUID shell scripts, questions? Peter Wemm (Feb 11)

(Thread continues...)