gabriel rosenkoetter on Sun, 4 Nov 2001 22:00:13 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] [linux] Shell script madness (fwd)


On Sun, Nov 04, 2001 at 02:46:35PM -0500, Bill Jonas wrote:
> I'm not sure
> how to pass things in on stdin, but command-line options would be like
> above (ie, 'execl("/usr/local/bin/chronyc", "chronyc", "--password",
> "blablabla", "online", (char *)0);' if that would work).

You shouldn't have to do anything fancy to connect stdin from the
shell straight through to the execl()ed process, provided the
process on the far end of the execl() wants to listen to it.

To connect, say, a file to the execl()ed process's stdin, you'd want
something like:

int fdesc;
fdesc = open("<pathname>", O_RDONLY);
close(0);
dup(fdesc);
close(fdesc);

Before the execl(). Pipes between processes' standard file descriptors
are a simple extension. Ymmv. Read the relevant man pages (rrmp?).

> Now, I'm sure that gr will poke holes in this ;) (actually, I wouldn't
> mind some constructive criticism; I'm not yet a C programmer but aspire
> to be and haven't yet gotten around to it), but it seemed to work okay.
> I never did get around to the project that this was created for.

Well, if I must... ;^>

Depending on your environment, what you describe won't work. Well.
It'll work, it just won't be safe.

That is, if your system saves uids the same way that Sys V does
(read, Solaris, notably), you've not done enough to ditch the old
uid (you have to fork(); exec(); twice so that it's not possible to
climb the tree back up). This *might* also be true on BSD-esque
systems. I don't remember. It's generally considered the Right Way
to write daemons and suid stuff that needs to drop uid. But my
knowledge of this is *really* rusty, and I'm not sure how much of
what applies to Linux.

(The guiding principle here is that you don't want the user to run
your suid wrapper, send it a SIGTSTP or similar, then attach to it
with ptrace or gdb, and find some clever-but-evil way to give
themselves a shell. They need to not be the owner of the process
immediately after its gone to uid 0 and *before* it's done anything
non-trivial.)

Granted, it would take an attacker who really knew what he was doing
to exploit this, but it's usually best to assume that the attacker
has infinite time and knowledge when writing anything in which
security is a concern.

Looking at how Postfix's uid-dropping stuff works could be very
informative and would show how to do something that's completely
portable. (Wietse Venema is *really* good.)

-- 
       ~ g r @ eclipsed.net

Attachment: pgp4T9dz45rss.pgp
Description: PGP signature