[Eug-lug] Linux- Mac OS X file exchange: This sounds right
Bob Miller
kbob at jogger-egg.com
Mon Jul 31 22:59:07 PDT 2006
Allen Brown wrote:
> It is tempting to also use nosuid, but there is a warning on
> the mount page.
> nosuid Do not allow set-user-identifier or set-group-identifier
> bits to take effect. (This seems safe, but is in fact
> rather unsafe if you have suidperl(1) installed.)
>
> What the heck is that? I don't seem to have it installed,
> but this makes me nervous because I wouldn't necessarily
> notice if it came in along with a bunch of other stuff
> in an apt-get.
/usr/bin/suidperl part of the perl package. It's a set-uid program,
usually installed setuid root, that invokes perl, used to change uid
on setuid scripts when the kernel doesn't do that.
An evildoer could...
On his own box, create a floppy/CD/flash ext2 filesystem and put
evilscript on it setuid root.
On your box, with normal user privs, he inserts and mounts the
device which you've marked with user,nosuid in /etc/fstab.
The evildoer runs his script. The kernel invokes perl but does not
set uid (because the fs is mounted nosuid). Perl sees the setuid
bit, execs suidperl. suidperl sees the setuid bit, changes its
effective uid to the file's owner (root), and execs perl. Perl,
now running as root, executes the script, and hilarity ensues.
Many distros ship without suidperl. Gentoo has a USE flag to enable
it which defaults to off. Ubuntu ships with suidperl, but it doesn't
have the setuid bit set. Those are the distros I have handy just now.
That's probably more information than you wanted...
--
Bob Miller K<bob>
kbob at jogger-egg.com
More information about the EUGLUG
mailing list