tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Adding a simple editor to the base system

[Aleksej Saushev <>]
> Does [SETUIDSCRIPTS] prevent symlink attack or simply disables the
> check?

> I never tried it myself but my guess is [...]

I suppose actually looking to see what it does is out of the question?

I just looked.  Based on a -current source tree updated last night via
sup, SETUIDSCRIPTS passes the script as an open fd to the shell,
telling it to use the appropriate /dev/fd/* as the script name.

> How do you think the kernel could prevent symlink attacks?  I'm
> curious to know.

By not passing a name attackers can symlink-replace, of course - such
as by (see above) opening the script file in the kernel and passing the
shell an fd already open onto it.  The only part that's at all
difficult is convincing shells that expect to see a script pathname to
use that open fd, and that's addressed in our implementation with
/dev/fd/.  (Yes, this does man that SETUIDSCRIPTS doesn't work right if
you don't have /dev/fd/ set up the way the kernel expects.  This is
arguably a bug, but surely one of the least severe bugs ever.  The
right fix is for the shell to have a command-line syntax that
specifically means "get the script from this fd", but using /dev/fd/ is
almost as good, certainly good enough to be useful.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML      
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Home | Main Index | Thread Index | Old Index