Re: setuid scripts in SunOS 4.1.x

[fred () nasirc hq nasa gov (Fred Blonder)]

        From: John Hawkinson <jhawk () panix com>

        When we say FIXING THE KERNEL, we MEAN DISABLING SETUID SCRIPTS.

        If you have some other reasonable mechanism, I'd be interested
        in hearing it...

Well, just to keep thrashing this one around, imagine the following
implementation: Set-uid script 'foo' calls interpreter 'bar':

    -rws--x--x  1 user           33 Sep 28 10:33 foo

    foo:
        #! /bin/bar
                .
                .
                .

A user invokes 'foo', the kernel sees the magic token '#!', converts
the inode for file 'foo' to a file descriptor (say for the purpose of
this example: fd 3) and adds it to the set of open file descriptors
(assuming the standard 0, 1 and 2 are already open), then execs
'/bin/bar' with an argument of '/dev/fd/3'.  The evil cracker can shift
symbolic links around to his heart's content, but can't prevent the
'/bin/bar' process from opening the correct script since it's already
been passed as an open file descriptor, hence no race condition.  This
approach requires no changes to existing interpreters.

I suggest we move this discussion to a different forum, as it's now
pretty far beyond the declared scope of bugtraq.
-----
Fred Blonder            fred () nasirc hq nasa gov

Hughes STX Corp.        (301) 441-4079
7701 Greenbelt Rd.
Greenbelt, Md.  20770