Well, like all good C progs, the path to libc.so or whatever, at least. Now, it might be /lib, but setuid erases even that from LD_LIBRARY_PATH, and ld does not think it is on him to look there unasked.
On HP-UX, a set-uid ksh script gets a message, so I guess they added explicit prevention, but on Solaris I do recall such: Setuid execution not allowed
No, that was it, when a ksh script is started without LD_LIBRARY_PATH, it dies, and the same for any other common interpreter.
On the platforms I use (*BSD, Linux, OSX), LD_LIBRARY_PATH is usually unset and the interpreters work fine. In my experience, LD_LIBRARY_PATH is usually used as a hack in environment-modifying shell script wrappers that launch oddball binaries which need help locating their libraries. Typically, it's not needed as shared libraries are in a system defined location which is searched by the loader regardless of the value of LD_LIBRARY_PATH or whether an executable is SUID.
Quote:
Originally Posted by DGPickett
You seem to think there is special code in exec() to not allow both interpreter #! files and setuid...
There is, at least on some systems. For example, testing on Linux (an approximately 5 yr old Debian install running kernel version 2.6.18) shows that the SUID bit of an interpreted file has absolutely no effect. The only way to launch the interpreter under a different effective user id is to set the SUID bit on the interpreter itself.
Let's assume we've just called exec() on a SUID interpreted file.
The exec system call calls prepare_binprm(). prepare_binrpm() always sets the new process' effective [ug]id to the current [ug]id before checking the permissions of the script's inode. If the inode has the SUID bit set, then it modifies the euid for the new process to match the inode's uid.
So far, Linux's exec() conforms to historical behavior: the effective uid is set to the inode owner's uid. But, there's more to come. At this point the kernel does not know that it's dealing with an interpreted file. What has happened so far happens for all exec()s.
Later in the exec syscall, search_binary_handler() is called to walk a list of supported binary formats which point to their respective loaders. In the case of a text-file with a leading she-bang, it's load_script().
Thus begins a recursive loop. load_script() processes the she-bang, determines the interpreter to use, then replays the sequence above, calling prepare_binrpm() and then search_binary_handler(), but now the inode whose permissions are scrutinized is that of the interpreter not the script.
Each time it's called, prepare_binrpm() will clobber the new process' egid and euid (possibly previously modified by the script's SUID bit), resetting them to the current e[ug]id, before examining the interpreter's inode's SUID bit.
In the end, the SUID bit in the inode of the final file in the chain determines the euid of the exec'd process. The SUID bit of the originating script file is irrelevant.
exec.c/prepare_binrpm():
Code:
1205 /*
1206 * Fill the binprm structure from the inode.
1207 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
1208 *
1209 * This may be called multiple times for binary chains (scripts for example).
1210 */
1211 int prepare_binprm(struct linux_binprm *bprm)
1212 {
...<snip>...
1221 /* clear any previous set[ug]id data from a previous binary */
1222 bprm->cred->euid = current_euid();
1223 bprm->cred->egid = current_egid();
1224
1225 if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
1226 /* Set-uid? */
1227 if (mode & S_ISUID) {
1228 bprm->per_clear |= PER_CLEAR_ON_SETID;
1229 bprm->cred->euid = inode->i_uid;
1230 }
An older OSX Tiger (10.4.11) laptop appears to be even more restrictive: If the first file in the chain is a SUID interpreted file, the euid is never changed (not even when the interpreter and the interpreted file are both SUID).
Back to where this thread started, an old OpenBSD 4.4 system honors the SUID bit of interpreted files (modifying the euid as per historical practice, as per the interpreted file's inode permissions, regardless of the interpreter's permissions).
I really should update my disused machines to more current versions of their respective operating systems.
Regards,
Alister
---------- Post updated at 07:12 PM ---------- Previous update was at 06:52 PM ----------
I ran my tests using the following "interpreter" in my sh/ksh shebang:
Code:
#include <stdio.h>
#include <unistd.h>
int
main (int argc, char **argv) {
printf("%lu\n", (unsigned long int) geteuid());
return 0;
}
So, it's implicitly impossible unless you have a setuid binary in the middle. I guess you could write a trivial re-executing program to setuid if you though it was a good idea.
Hi ,
I am using windows XP and IE8
I have my credentials stored for a website in internet explorer.
I want to implement below scenario.
I have entered both username/password for a website and left IE explorer open and locked my computer
I want the computer to login in that website... (1 Reply)
On Solaris 11 is it possible to bypass the userid/password requirement to automatically login to the desktop ?
I'm the sole user and it is really not necessary to secure the system.
I have searched this forum and have not found a relevant post. (2 Replies)
Hi,
how can I set my linux server that it logs in the main user at startup?
I would like to be able to make a restart remotely and be able to connect to the server again afterwards.
The problem is that the server waits for a login and than connects to the network. So at the beginning at... (5 Replies)
I know how to set up KDM or GDM to do automatic login, but is there a way to do it without GDM or KDM or X at all so when I start the machine I am immediately taken to a waiting command prompt? Thanks (5 Replies)
Hi, Boss
I have a question....
BackGround: i have a shell name xxxLineInput.x
the useage is: xxxLineInput.x -Txxx -Uxxx -Pxxx
when i use the command line..can run normal.
Target: i want to set automatic login, the mean is when i login the as the specifical... (0 Replies)
Hello all,
I need a script that can run an sftp session into a remote server, and retreive a file. Does anyone know how to pass in the user/password details in a script? I seem to have forgotten (5 Replies)
Hi,
I'm a beginner in unix.As a part of my script i need to remote logon using ssh.
my script run as being asked for password and logons only after the user enters the password correctly. But my script stops executing after that as I login to a different server(different shell if i'm right).... (3 Replies)
I have asked by our security team to implement an automatic time out for user logins after a specified time interval. I have never heard of this feature in Unix before.
Does anyone know of a way to accomplish this for HP-UX 11i? (2 Replies)
hi
OK. I don't know exactly what I did to system!
The system is OpenBSD 3.5.
It is 200MMX, 16MB ram 1.2 + 2.4 GB HDD. The system was running well. But a few days ago I try to unpack a big tar.gz file and the system uses most the cpu and ram for this. While the system unpacking the file I try to... (4 Replies)
04-20-2011
