Philip Rushik on 7 Nov 2016 18:01:30 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] LINUX LOW LEVEL PROGRAMMING QUESTION



On Mon, Nov 7, 2016 at 8:43 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:
sudo != suid.  suid scripts being disabled is unsurprising, because
there is a race condition in having them around.
 
I've never heard of a race condition associated with suid, I would like to know more about that. However, you for sure need to have something that is suid, otherwise there is no way to become root (su and sudo use suid, as does probably login and some other coreutils on a gnu based system, busybox is likely suid on other systems).
 
Now, what you can do is put a script in the sudoers file with NOPASSWD
and so on, and that is both secure and will let any (designated) users
run that script with sudo, and let you call it from other scripts,
crontab, and so on I think.

The other thing you can do is write a wrapper in C which does nothing
but exec the shell script, and make that C wrapper suid.  That is also
secure.

This is a good suggestion, but in and of itself it is not secure, it needs to be implemented carefully otherwise it would be the first place I would start if I wanted to hack your system. If sudo allows preserving the environment, then I could just make a new script that does whatever I want, and give it the same name and put it first in the PATH and use sudo to execute it, likewise for your C program if you use an exec that searches the PATH (execlp, execvp, or execvpe), then the same type of PATH manipulation works. You need to prevent searching the PATH, or use only absolute paths for the script and everything it calls. Additionally, you need to make sure that script can't be overwritten by anybody that could want to do harm.
It could be secure if you are careful, but isn't inherently secure.

 - Phil
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug