ksh: $0 is different when setuid

31 views
Skip to first unread message

Michael Wang

unread,
Feb 7, 2002, 6:49:26 AM2/7/02
to
$0 is different when setuid. I need setuid and $0 to be the program name
for the program to behave correct. Is there a workaround?

Thanks.

--
[zilu:/tmp/k]ls -ls 1.ksh 2.ksh
8 -rwsr-xr-x 1 mwang other 21 Feb 7 06:40 1.ksh
8 -rwxr-xr-x 1 mwang other 21 Feb 7 06:40 2.ksh
[zilu:/tmp/k]cat 1.ksh
#!/bin/ksh

print $0
[zilu:/tmp/k]cat 2.ksh
#!/bin/ksh

print $0
[zilu:/tmp/k]./1.ksh
/bin/ksh
[zilu:/tmp/k]./2.ksh
./2.ksh
--

Bill Marcum

unread,
Feb 7, 2002, 9:27:03 AM2/7/02
to

Michael Wang wrote in message ...

>$0 is different when setuid. I need setuid and $0 to be the program name
>for the program to behave correct. Is there a workaround?
>
>Thanks.
>
Use a variable instead of $0:
case $0 in
*/ksh) PROGNAME="the name you want" ;;
*) PROGNAME=$0 ;;
esac


Valdis Kletnieks

unread,
Feb 7, 2002, 2:12:13 PM2/7/02
to
mw...@mindspring.com (Michael Wang) writes:

> $0 is different when setuid. I need setuid and $0 to be the program name
> for the program to behave correct. Is there a workaround?
>
> Thanks.
>
> --
> [zilu:/tmp/k]ls -ls 1.ksh 2.ksh
> 8 -rwsr-xr-x 1 mwang other 21 Feb 7 06:40 1.ksh
> 8 -rwxr-xr-x 1 mwang other 21 Feb 7 06:40 2.ksh

I'm surprised your system *allows* setuid shells. Have you verified
that the shell in fact *does* run set-UID to the owner? (an '/bin/id'
in the script would do it - run it while logged in as somebody ELSE).
Set-UID shell scripts are almost always a *major* security problem,
starting with people who play games with IFS, and running to symlink
games(*) and race conditions....

You may also want to consider that #! causes re-reading of the
shell a second time (the source of many security holes with set-uid
scripts) - most likely, what you are seeing in the set-UID case is
that the kernel has reset argv[0] to /bin/ksh because that's what's on
the #! line, and that's what's passed to the actual shell...

You might want to consider re-doing your program in a non-interpreted
language, or using a small secure set-UID helper written in C to launch
your script for you.
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech

(*) Symlink attack:

PATH=.:$PATH # get . in your $PATH
ln -s /some/setuid/script ./-i # Create a symlink called '-i' to the script
-i # Run the script

So the script launches set-UID.. sees its argv[0] starts with a -, which is
its cue to run as a login shell (that's how /bin/login and friends tell your
shell it's a login shell). So it runs the .profile/etc. However - $HOME
is *your* home directory, so it runs YOUR .profile with HIS permissions.

Install trojans, add salt, pepper, and other seasonings to taste....

Barry Margolin

unread,
Feb 7, 2002, 2:25:34 PM2/7/02
to
In article <aRt88.3$333....@news.uswest.net>,

I'm surprised at this. I would expect it to print something like
/dev/fd/3. On systems that allow setuid scripts, they avoid the link race
condition by specifying a file descriptor as the script name rather than
the actual file name. At least, that's how it works on Solaris; what OS
are you using? Maybe your OS doesn't have /dev/fd, but it runs the shell
with a special option that causes it to read the script from a file
descriptor rather than a filename.

In any case, when the system uses techniques like this to avoid the
race condition security problem, you lose the ability to find out the
script name (unless the system puts it into an environment variable).

--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Dan Mercer

unread,
Feb 7, 2002, 5:49:36 PM2/7/02
to
In article <OwA88.19$R16.33156@burlma1-snr2>,

You might look in $_

--
Dan Mercer
dame...@mmm.com

Opinions expressed herein are my own and may not represent those of my employer.

Reply all
Reply to author
Forward
0 new messages