[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Guile scripts and setuid bit -> trouble
From: |
Roland Besserer |
Subject: |
Re: Guile scripts and setuid bit -> trouble |
Date: |
10 Jan 2005 16:03:48 -0800 |
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 |
Naturally, I'm aware of the inherent security issues but they are not a
concern in this case (isolated machine, etc.).
The script is used to modify a simple text file which has -rw-------
permissions and is owned by a separate user and group and the script
is uid root.
With the script perms -rwxr-xr-x and the test file set to -rw-rw-rw-
everything works fine. If I limit the permissions on the text file and
setuid the script (-rwsr-xr-x) I get the error.
It does work as expected on OSX (guile 1.6.4), so this appears to be
Solaris specific. This is Solaris 8/9 by the way. Turns out that sh
scripts also fail to run as setuid, but they don't give any parse errors,
they just run with the real uid.
I know there is a file system option (nosuid) but all my file system are
mounted with the enable option (uid).
roland
p.s. By the way, I found that the guile-1.6.4 build on OSX does not support
the Posix user information calls like (cuserid).
<address@hidden> writes:
> On Thu, Jan 06, 2005 at 04:26:25PM -0800, Roland Besserer wrote:
> >
> > Hi,
> >
> > I am having an issue running guile scripts on a Solaris 9 machine.
> > The script starts with the usual:
> >
> > #!/usr/local/bin/guile \
> > -e main -s
> > !#
> [...]
> > ERROR: Unbound variable: !#
>
> hi,
>
> don't know about Solaris -- but note that setuid *scripts* are
> special. Done naively they are inherently insecure. Different
> systems have different approaches to cope with that. Linux, for
> example, just ignores the setuid bit on scripts (you can do
> setuid Perl scripts, but that involves some suidperl black magic,
> having a setuid Perl interpreter as one of its tasty ingredients,
> yummm...). Maybe Solaris is passing an already-open file descriptor
> to the shell (i.e. guile), on which the first line is ``read-off'',
> so poor guile doesn't get the hash-bang at the beginning?
>
> What happens if you append a backslash to the second line? What if
> you change the last one to ``#! !#'' (looks funny, right ;-)
>
> Regards
> -- tomás