Re: Guile scripts and setuid bit -> trouble

guile-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Guile scripts and setuid bit -> trouble

From:	Roland Besserer
Subject:	Re: Guile scripts and setuid bit -> trouble
Date:	10 Jan 2005 16:03:48 -0800
User-agent:	Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

Naturally, I'm aware of the inherent security issues but they are not a
concern in this case (isolated machine, etc.). 

The script is used to modify a simple text file which has -rw-------
permissions and is owned by a separate user and group and the script
is uid root.

With the script perms -rwxr-xr-x and the test file set to -rw-rw-rw-
everything works fine. If I limit the permissions on the text file and
setuid the script (-rwsr-xr-x) I get the error.

It does work as expected on OSX (guile 1.6.4), so this appears to be 
Solaris specific. This is Solaris 8/9 by the way. Turns out that sh
scripts also fail to run as setuid, but they don't give any parse errors,
they just run with the real uid.

I know there is a file system option (nosuid) but all my file system are
mounted with the enable option (uid).

roland

p.s. By the way, I found that the guile-1.6.4 build on OSX does not support
the Posix user information calls like (cuserid).

<address@hidden> writes:

> On Thu, Jan 06, 2005 at 04:26:25PM -0800, Roland Besserer wrote:
> > 
> > Hi,
> > 
> > I am having an issue running guile scripts on a Solaris 9 machine.
> > The script starts with the usual:
> > 
> > #!/usr/local/bin/guile \
> > -e main -s
> > !#
> [...]
> > ERROR: Unbound variable: !#
> 
> hi,
> 
> don't know about Solaris -- but note that setuid *scripts* are
> special. Done naively they are inherently insecure. Different
> systems have different approaches to cope with that. Linux, for
> example, just ignores the setuid bit on scripts (you can do
> setuid Perl scripts, but that involves some suidperl black magic,
> having a setuid Perl interpreter as one of its tasty ingredients,
> yummm...). Maybe Solaris is passing an already-open file descriptor
> to the shell (i.e. guile), on which the first line is ``read-off'',
> so poor guile doesn't get the hash-bang at the beginning?
> 
> What happens if you append a backslash to the second line? What if
> you change the last one to ``#! !#'' (looks funny, right ;-)
> 
> Regards
> -- tomás

[Prev in Thread]

Current Thread

[Next in Thread]

Guile scripts and setuid bit -> trouble, Roland Besserer, 2005/01/06
- Re: Guile scripts and setuid bit -> trouble, Andy Wingo, 2005/01/07
  - Re: Guile scripts and setuid bit -> trouble, Paul Jarc, 2005/01/09
- Re: Guile scripts and setuid bit -> trouble, tomas, 2005/01/10
  - Re: Guile scripts and setuid bit -> trouble, Roland Besserer <=
    - Re: Guile scripts and setuid bit -> trouble, tomas, 2005/01/11
    - Re: Guile scripts and setuid bit -> trouble, Kevin Ryde, 2005/01/11
  - Re: Guile scripts and setuid bit -> trouble, Roland Besserer, 2005/01/10

Prev by Date: New product! Cialis soft tabs.
Next by Date: The new and revollutionaary peenjs enlaargment devjce! knauer
Previous by thread: Re: Guile scripts and setuid bit -> trouble
Next by thread: Re: Guile scripts and setuid bit -> trouble
Index(es):
- Date
- Thread