Quote:
Originally Posted by
methyl
Thank you jlliagre for this most useful post. Not sure how your link is relevant, but it was interesting.
I'm afraid I don't understand your comment about the link not being relevant. It precisely states ksh is taking specific measures against exploits when called as a suid script and it explains how modern OSes, like Solaris, prevent other exploits to success.
Quote:
Obvously "by the book" is referring to documented rules.
That was my question. Do you have a link or something pointing to a place where these rules are documented ?
Quote:
If the account "jlliagre" is not in the SECONDARY group "other" then your post is still hard to understand. I am sure you know an account can be in more than one group.
I stand corrected here. You certainly were expecting id to display the user's groups but the default Solaris id command doesn't do it. If I replace id with /usr/gnu/bin/id, guest is indeed member of both his original group and jlliagre's one.
Quote:
Ps. Don't take this personally. The subject of elevating permissions of Shell Scripts is sensitive to me.
I believe (but am not 100% sure yet) my example doesn't elevate the script permissions, it switches them from those of an unprivileged user to another unprivileged user. However, I probably should do more checking to be sure fine grained privileges granted to jlliagre's account do not interfere with my sample results.
---------- Post updated at 01:25 ---------- Previous update was at 00:40 ----------
Quote:
Originally Posted by
fpmurphy
@jlliagre. Please tell us which specific OS and version of ksh your example works on.
My example was on "Oracle Solaris 11 Express snv_146 X86".
It works the same way on OpenIndiana build 151a, Solaris 10 and probably all previous SVR4.0 based Solaris releases.
I just tried on Solaris 11 FCS and the behavior is slightly different and actually better.
The suid bit still allows for an unreadable script to be executable but the euid is not changed anymore.
I don't think ksh version matters but I'm using what /bin/ksh refers to, i.e. ksh88 on Solaris 10 and likely ksh93t+ on all the SunOS 5.11 based OSes.
Quote:
By default on Linux, setuid shell scripts are not supported. Such bits are ignored.
Indeed. I commented about what I know/read about OSes supporting or not suid scripts in post #12
https://www.unix.com/302592028-post12.html