This WAAAY far from it been a news. In FreeBSD mount man page we can read: nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect. Note: this option is worthless if a public available suid or sgid wrapper like suidperl(1) is installed on your system. This man page has been in public domain for a long time too. :) -- Yan On Thu, Jan 14, 1999 at 05:58:15PM +0000, Brian McCauley <B.A.McCauleyat_private> wrote: > The following message is a courtesy copy of an article > that has been posted to comp.os.linux.misc,comp.os.linux.development.system,comp.lang.perl.misc as well. > > The suid script emulation in Perl 5.0004_4 (as found in SuSE Linux 5.3 > and doubtless other Linux distributions) fails to take account of the > nosuid mount option on filesystems. > > This means that it is trivial for a resourceful user to hide a setuid > perl script on a CD or floppy and then use it to become root. Many > systems are (even by default) configured to allow users mount floppys > and CDs nosuid. > > The most obvious fix to Perl for this would be (where available) to > use fstatvfs() (as defined in SUSv2) to determine if the script is on > a filesystem that is mounted with the nosuid option. > > Unfortunately fstatvfs() is not implemented in Linux (as of 2.2pre1). > It would not be difficult to add the new system call. Indeed the > existing fstatfs() implementation could simply be modified to > implement fstatvfs() semantics and both syscalls could then point to > the same code. > > This vulerability will exist in all Unicies that use a user-space > implementation of suid-scripts and impelment a nosuid mount option in > such a way that it does not modify the values returned by fstat(). > > It is worth noting that that other suid-aware script-interpreters will > probalby also display this vulnerability on Linux because of the > absense of fstatvfs(). > > -- > \\ ( ) No male bovine | Email: B.A.McCauleyat_private > . _\\__[oo faeces from | Phones: +44 121 471 3789 (home) > .__/ \\ /\@ /~) /~[ /\/[ | +44 121 627 2173 (voice) 2175 (fax) > . l___\\ /~~) /~~[ / [ | PGP-fp: D7 03 2A 4B D8 3A 05 37... > # ll l\\ ~~~~ ~ ~ ~ ~ | http://www.wcl.bham.ac.uk/~bam/ > ###LL LL\\ (Brian McCauley) |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:52 PDT