Permit setuid on shell manuscripts

The setuid approval little bit informs Linux to run a program with the reliable customer id of the proprietor as opposed to the administrator:

> cat setuid-test.c

#include <stdio.h>
#include <unistd.h>

int main(int argc, char** argv) {
    printf("%d", geteuid());
    return 0;
}

> gcc -o setuid-test setuid-test.c
> ./setuid-test

1000

> sudo chown nobody ./setuid-test; sudo chmod +s ./setuid-test
> ./setuid-test

65534

Nonetheless, this just relates to executables; shell manuscripts overlook the setuid little bit:

> cat setuid-test2

#!/bin/bash
id -u

> ./setuid-test2

1000

> sudo chown nobody ./setuid-test2; sudo chmod +s ./setuid-test2
> ./setuid-test2

1000

Wikipedia says:

As a result of the raised chance of security imperfections, several os overlook the setuid feature when related to executable shell manuscripts.

Thinking I'm eager to approve those threats, exists any kind of means to inform Linux to deal with the setuid little bit the very same on shell manuscripts as it does on executables?

Otherwise, exists an usual workaround for this trouble? My existing remedy is to add a sudoers access to permit ALL to run an offered manuscript as the customer I desire it run as, with NOPASSWD to stay clear of the password prompt. The major disadvantages to that is the demand for a sudoers access every single time I intend to do this, and also the demand for the customer to sudo some-script as opposed to simply some-script

0
2019-05-07 01:58:54
Source Share
Answers: 5

Linux overlooks the setuid ¹ little bit on all analyzed executables (i.e. executables beginning with a #! line). The comp.unix.questions FAQ clarifies the security troubles with setuid shell manuscripts. These troubles are of 2 kinds : shebang - relevant and also shell - relevant ; I enter into even more information listed below.

If you uncommitted concerning security and also intend to permit setuid manuscripts, under Linux, you'll require to spot the bit. Since 3.x bits, I assume you require to add a phone call to install_exec_creds in the load_script function, prior to the call to open_exec, yet I have not examined.


Setuid ball of wax

There is a race problem integral to the means ball of wax (#!) is commonly applied:

  1. The bit opens up the executable, and also locates that it begins with #!.
  2. The bit shuts the executable and also opens up the interpreter rather.
  3. The bit inserts the course to the manuscript to the argument checklist (as argv[1]), and also implements the interpreter.

If setuid manuscripts are permitted with this execution, an opponent can invoke an approximate manuscript by developing a symbolic link to an existing setuid manuscript, implementing it, and also preparing to transform the link after the bit has actually executed action 1 and also prior to the interpreter navigates to opening its first argument. Consequently, the majority of unices overlook the setuid little bit when they identify a ball of wax.

One means to safeguard this execution would certainly be for the bit to lock the manuscript documents till the interpreter has actually opened it (note that this have to protect against not just unlinking or overwriting the documents, yet additionally relabeling any kind of directory in the course). Yet unix systems often tend to avoid required locks, and also symbolic web links would certainly make a proper lock attribute specifically hard and also intrusive. I do not assume any person does it in this manner.

A couple of unix systems (mostly OpenBSD, NetBSD and also Mac OS X, every one of which call for a bit readying to be made it possible for) implement safe and secure setuid ball of wax making use of an added attribute : the course /dev/fd/N describes the documents currently opened up on documents descriptor N (so opening up /dev/fd/N is about equal to dup(N)). Several unix systems (consisting of Linux) have /dev/fd yet not setuid manuscripts.

  1. The bit opens up the executable, and also locates that it begins with #!. Allow's claim the documents descriptor for the executable is 3.
  2. The bit opens up the interpreter.
  3. The bit inserts /dev/fd/3 the argument checklist (as argv[1]), and also implements the interpreter.

Sven Mascheck's shebang page has a great deal of details on ball of wax throughout unices, consisting of setuid support.


Setuid interpreters

Let's think you've taken care of to make your program run as origin, either due to the fact that your OS sustains setuid ball of wax or due to the fact that you've made use of an indigenous binary wrapper (such as sudo). Have you opened up a security opening? Possibly . The concern below is not concerning analyzed vs assembled programs. The concern is whether your runtime system acts securely if implemented with advantages.

  • Any kind of dynamically connected indigenous binary executable remains in a means analyzed by the vibrant loader (as an example /lib/ld.so), which lots the vibrant collections called for by the program. On several unices, you can set up the search course for vibrant collections via the setting (LD_LIBRARY_PATH is an usual name for the setting variable), and also also load added collections right into all implemented binaries (LD_PRELOAD). The invoker of the program can execute approximate code because program's context by positioning a particularly - crafted libc.so in $LD_LIBRARY_PATH (among various other methods). All rational systems overlook the LD_* variables in setuid executables.

  • In coverings such as sh, csh and also by-products, setting variables instantly come to be shell parameters. Via parameters such as PATH, IFS, and also much more, the invoker of the manuscript has several possibilities to execute approximate code in the shell manuscripts's context. Some coverings set these variables to rational defaults if they identify that the manuscript has actually been conjured up with advantages, yet I do not recognize that there is any kind of certain execution that I would certainly rely on.

  • The majority of runtime settings (whether indigenous, bytecode or analyzed) have comparable attributes. Couple of take unique preventative measures in setuid executables, though the ones that run indigenous code usually do not do anything fancier than vibrant connecting (which does take preventative measures).

  • Perl is a remarkable exemption. It clearly sustains setuid manuscripts in a safe and secure means. Actually, your manuscript can run setuid also if your OS overlooked the setuid little bit on manuscripts. This is due to the fact that perl ships with a setuid origin assistant that executes the essential checks and also reinvokes the interpreter on the wanted manuscripts with the wanted advantages. This is clarified in the perlsec guidebook. It made use of to be that setuid perl manuscripts required #!/usr/bin/suidperl -wT as opposed to #!/usr/bin/perl -wT, yet on the majority of modern-day systems, #!/usr/bin/perl -wT suffices.

Keep in mind that making use of an indigenous binary wrapper not does anything by itself to stop these troubles . Actually, it can make the scenario even worse , due to the fact that it could stop your runtime setting from identifying that it is conjured up with advantages and also bypassing its runtime configurability.

An indigenous binary wrapper can make a shell manuscript secure if the wrapper disinfects the setting . The manuscript has to make sure not to make way too many presumptions (as an example concerning the existing directory) yet this goes. You can make use of sudo for this given that it's set up to disinfect the setting. Blacklisting variables is mistake - vulnerable, so constantly whitelist. With sudo, see to it that the env_reset alternative is activated, that setenv is off, which env_file and also env_keep just have harmless variables.


TL, DR:

  • Setuid ball of wax is troubled yet generally overlooked.
  • If you run a program with advantages (either via sudo or setuid), write indigenous code or perl, or start the program with a wrapper that disinfects the setting (such as sudo with the env_reset alternative).

¹ This conversation uses just as if you replace "setgid" for "setuid" ; they are both ignored by the Linux kernel on scripts

0
2019-05-12 04:58:13
Source

You can create a pen name for sudo+the name of the manuscript. Certainly, that is a lot more function to set up, given that you after that need to arrangement a pen name, also, yet it conserves you from needing to type sudo.

Yet if you do not mind dreadful security threats, make use of a setuid shell as the interpreter for the shell manuscript. Do not recognize whether that'll benefit you, yet I presume it might.

Allow me state that I discourage in fact doing this, however. I'm simply stating it for instructional objectives ; -)

0
2019-05-09 00:17:52
Source

One means of addressing this trouble is to call the shell manuscript from a program that can make use of the setuid little bit.
its something like sudo. As an example, below is just how you would certainly complete this in a C program :

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
    setuid( 0 );   // you can set it at run time also
    system( "/home/pubuntu/setuid-test2.sh" );
    return 0;
 }

Save it as setuid - test2.c.
compile
Now do the setuid on this program binary :

su - nobody   
[enter password]  
chown nobody:nobody a.out  
chmod 4755 a.out  

Now, you need to have the ability to run it, and also you'll see your manuscript being implemented with no one approvals.
Yet below additionally either you require to hardcode the manuscript course or pass it as command line arg to over exe.

0
2019-05-08 22:52:50
Source

If you intend to stay clear of calling sudo some_script you can simply do :

  #!/ust/bin/env sh

  sudo /usr/local/scripts/your_script

SETUID programs require to be made with severe treatment as they keep up origin advantages and also customers have huge control over them. They require to peace of mind - check every little thing. You can refrain it with manuscripts due to the fact that :

  • Shells are huge items of software program which connect greatly with customer. It is virtually difficult to peace of mind check every little thing-- specifically given that a lot of the code is not planned to run in such setting.
  • Manuscripts are a primarily fast 'n' unclean remedy and also generally are not prepared with such treatment that they would certainly permit setuid. They have several possibly unsafe attributes.
  • They depend greatly on various other programs. It is not enough that the shell was examined. sed, awk, etc would certainly require to be examined too

Please note that sudo gives some peace of mind - monitoring yet it isn't enough-- examine every line in your very own code.

As a last note : take into consideration making use of capacities. They permit you to offer a procedure running as a customer unique advantages that would generally call for origin advantages. Nonetheless as an example, while ping requires to adjust the network, it does not require to have accessibility to documents. I'm not exactly sure nonetheless if they are acquired.

0
2019-05-08 19:10:54
Source

I prefix a couple of scripts that remain in this watercraft hence :

#!/bin/sh
[ "root" != "$USER" ] && exec sudo $0 "[email protected]"

Keep in mind that this does not make use of setuid yet merely implements the existing documents with sudo.

0
2019-05-08 07:30:48
Source