Re: [Sheflug] running as root

[Martin P Holland <nospam [at] noether.freeserve.co.uk>]

On Wed, 03 May 2000, Al Hudson wrote:

>> Race type conditions are ripe :)
>
>Err, are you sure about that? Off the top of my head, I can't think of
>one. 

The idea of the race condition AIUI goes something like this:

you have some suid system script foo. Malicious person makes a
sym link bar -> foo. He also creates baz, a script that just gives him a shell.

Now he overloads the system, so that ther's time to get coffee between
operations. He starts up the system script foo via the link bar, then quickly
he sets the sym link to baz.

The idea is that there is a gap between the script getting suid root from libc
and the shell running the script, if the sym link changes just in
time, bang a root shell for the malicious person.

This is the reason why bash scripts are not allowed to be suid root.

Timing is clearly important here but if the machine is heavily overloaded
enough this should be possible.

I have never actually tried this, it's just my interpretation ...

>Try this: (it's C, obviously)

This doesn't shed much light into whether or not _shell scripts_ can be suid
root (they can't). Note that you can set the suid bit on a shell script it's
just that it has no effect.

atb

Martin

-- 
http://www.shef.ac.uk/~pm1mph



---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.