Re: setuid scripts in SunOS 4.1.x

[karl () bagpuss demon co uk (Karl Strickland)]

> > > The best solution is to make sure you don't have suid shell scripts
> > > Cops does a fine job in finding them for you so does:
> > >
> > > find /   \( -type d -fstype nfs -prune \) -o -type f \( -perm -4001 -o -perm
> > >  -4010 -o -perm -4100 -o -perm -2100 -o -perm -2010 -o -perm -2001 \)
> > >
> > > If I remeber correctly SunOS 4.1.x is just one of those UNIX systems that
> > > allows suid shell scripts. I don't think this will be 'fixed'.
> > > But you can always try to mail security-alert () Sun COM.
> > Of course you can always mount your filesystems `nosuid'.
>
> The "correct" thing to do is to patch kern_exec.c (kern_exec.o).
> This is nontrivial if you don't have source. It's trivial
> if you do (I don't). No one has done this publically as of yet.
>
> Thinking about it, I wonder if the BSD kern_exec is "good enough".
> If so, perhaps it could be substituted. Anyone? (Casper?)

Its not trivial, I think there are a lot of subtle differences.  I understand
SunOS 4.1.x's kern_exec.o is based on the BSD 4.3 version (@(#)kern_exec.c
7.1 (Berkeley) 6/5/86) but a lot must have changed for SunOS.  Eg:

        1. BSD 4.3 uses inodes for pathname lookups/file access;
           SunOS uses vnodes.  Their corresponding different operations
           (eg rdwri() & vn_rdwr()) have different interfaces.
           [Maybe one of the later 4.3BSD's (reno?) which incorporate
           vnodes might be easier to start from..]

        2. BSD 4.3 pathname lookups use namei(), SunOS uses pn_get() &
           lookuppn().

        3. BSD 4.3 has no concept of 'nosuid' mounted filesystems.

        4. On SunOS, the exdata struct is part of the user struct, on
           BSD 4.3 its just local to execve(), and - just to make it more
           fun :) - all the corresponding field names are different.

        5. SunOS execve() must have support for other SunOS specific bits
           that BSD 4.3 doesnt have, like support for trace(1), asynch io &
           fcntl(2) style record locks.

        etc etc etc.

In short I dont think it could be attempted without access to SunOS source -
and obviously the people with access have no reason to attempt it!

Maybe if enough people scream Sun will put out a patched kern_exec.o, or
at least allow someone else to do it.

------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl () bagpuss demon co uk
                                          |