RE: allowing ordinary users to open privileged ports

From: Myers, Mike (Mike.Myers_at_nwdc.net)
Date: 09/14/04

  • Next message: Myers, Mike: "RE: Solaris 9 authentication and access control into Active Directory"
    Date: Tue, 14 Sep 2004 10:41:52 -0700
    To: "Brian Parent" <bparent@calvin.ucsd.edu>, focus-sun@securityfocus.com
    
    

    You know, I've often heard this statement (about SUID shell scripts being dangerous) without a good explanation -- too often the authoring citing "security concerns" for not explaining it (not that Brian did!)

    For those who feel the same way, I found a reasonable explanation here:

    http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html

    It does a good job of covering PATH issues, timing issues and others. Always good to understand exactly what type of attack one is defending against.

    Cheers,
     - Mike Myers, Mike.Myers <at> nwdc.net

    -----Original Message-----
    From: Brian Parent [mailto:bparent@calvin.ucsd.edu]
    Sent: Monday, September 13, 2004 10:29 AM
    To: focus-sun@securityfocus.com
    Subject: Re: allowing ordinary users to open privileged ports

    I'm glad to hear that your method #2 presented other problems
    which prevented you from using it.

    Creating a setuid shell script creates a major security hole.
    Local users with access to such a script can execute arbitrary
    programs as the owner of the script (root in this case).


  • Next message: Myers, Mike: "RE: Solaris 9 authentication and access control into Active Directory"

    Relevant Pages

    • Re: scripting the buildworld/installworld process
      ... When I started timing my buildworlds, I figured out that you need ... The upgrade was needed because the old mobo went ... script more complicated:). ... Kent Stewart ...
      (freebsd-questions)
    • Re: Potential problem in batch files for Xilinx
      ... Xilinx flow for a while. ... through it's script as if everything is OK! ... request (unless you think I'm bonkers for thinking that failing timing ... to get the design to meet the target frequency. ...
      (comp.arch.fpga)
    • RE: scripting the buildworld/installworld process
      ... > When I started timing my buildworlds, I figured out that you need ... > AMD Athlon 2000+ XP ... > script more complicated:). ... I can always go back and edit my time log to ...
      (freebsd-questions)
    • Re: VBscript Search and Replace conundrum
      ... definitely be a timing issue. ... Unless you check the shell for a return, ... script will continue regardless of what is happening in the shell. ... without even the implied warranty of merchantability ...
      (microsoft.public.scripting.vbscript)
    • Re: How does "show runner" appear in the credits
      ... the script supervisor, whose job it is to make sure the writers don't ... screw up the regular and recurring characters, that the script seems like ... progressions, lenses used, timing, f-stops, focus changes, wardrobe, ... If in one scene an actor says "we ...
      (rec.arts.tv)