SUID Shell脚本的危险

Dangers of SUID Shell Scripts
This article attempts to walk the fine line between full disclosure and published exploits. The object of this article is to illustrate how SUID programs work in order to help others w riting their own programs avoid some common mistakes. The examples I provide are detailed enough to help you understand each danger, but I don’t promise that all will work exactly as demonstrated if you try to use them maliciously. (sidebar）

Normally, UNIX scripts and programs run with the same permissions as the user who executes them. This is why typical users can’t change their passwords by editing the /etc/passwd file; they don’t have the permission to w rite to /etc/passwd, and no command they run will either. SUID programs, however, override normal permissions and always run with the permissions of the program’s owner. Therefore, users can use the /usr/bin /passwd command to change their passwords. The /usr/bin/passwd command is SUID and is owned by root. It always runs with the same permissions as root.

When new administrators discover SUID, they often see it as a silver bullet that will solve all of their problems. They immediately begin using SUID scripts and programs to make their jobs easier. Unfortunately, they usually do it w rong. When working with admins new to SUID, I often encounter scripts like this:

% ls change-pass
-rwsr-x— 1 root helpdesk
37 Feb 26 16:35 change-pass
% cat change-pass

!/bin/csh -b

set user = $1 passwd$user

This simple script was set up to allow the help desk reset user passwords, which is a common need. The script is SUID root and is only executable by root or the members of the help desk group. This simple script is also riddled with holes. I’m going to expose seven of these holes and see whether they can be prevented. (sidebar)

The first problem occurs because this script is w ritten in C-shell. C-shell scripts are vulnerable to manipulating environment variables. To take advantage of this, a hacker can compromise a help desk account (fairly trivial) and give himself a root shell with:

% env TERM=’cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh’ change-pass

Lesson One – Never use C-shell f or SUID scripts.

% cat change-pass

!/bin/ksh

user=$1 passwd$user

Rew riting the script in Korn shell helps us avoid the C-shell problem , but we still have problems. The script is vulnerable to a hacker manipulating the PATH variable. Because the program uses relative path names, a hacker can change his PATH to use his own program instead of the regular /usr/bin/passwd program:

% export PATH=’/tmp’
% echo “cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh” >/tmp/passwd
% ./change-pass

The PATH has been changed, and the change-pass command now runs the /tmp/passwd program instead of the /usr/bin /passwd program that we intended.

Lesson Two – A lways manually set the PATH and use absolute path names.

% cat change-pass

!/bin/ksh PATH=’/bin:/usr/bin’

user=$1 /usr/bin/ passwd$user

Now the PATH is secure and we are using absolute paths; but look closely and see that this script can change any password, even root’s! We don’t want the help desk (or a hacker) using our script to change root’s password.

Lesson Three – Understand how the programs in your script work.

% cat change-pass #!/bin/ksh PATH=’/bin:/usr/bin’ user=$1 rm /tmp/.user echo "$user” > /tmp/.user isroot=’/usr/bin/grep -c root /tmp/.user’ [ “$isroot" -gt 0 ] && echo "You Can't change root's password!" && exit /usr/bin/passwd$user

Now this script will exit if someone enters root as the argument. But what happens if a hacker runs the program and doesn’t specify an argument? The program will run the passwd command without any arguments. When the passwd command doesn’t receive any arguments, it defaults to the current user. The problem is that in a root-owned SUID script, the current user is always root. The help desk (or hacker) can still change root’s password by not giving change-pass any arguments. Lesson Three (revised) – Understand how the programs in your script work, especially how they handle arguments.

% cat change-pass #!/bin/ksh Sys Admin > Dangers of SUID Shell Scripts http://web.archive.org/web/20071011040421/http:/… 1 von 3 22.01.2010 13:49 % cat change-pass #!/bin/ksh PATH=’/bin:/usr/bin’ user=$1 [ -z$user ] && echo “Usage: change-pass username” && exit rm /tmp/.user echo “$user" > /tmp/.user isroot='/usr/bin/grep -c root /tmp/.user' [ "$isroot” -gt 0 ] && echo “You Can’t change root’s password!” && exit /usr/bin/passwd $user

We no longer let anyone change root’s password, but notice that we are using a temporary file. This script deletes the temporary file, recreates it, fills it with the username, and finally checks to see whether the username is root.

What if a hacker could time things perfectly so that just after the script removes the /tmp/.user file, but just before it creates a new /tmp/.user file, he created an empty /tmp/.user file? Would the hacker’s file be overwritten? Possibly, but possibly not, depending on how file clobbering was set up. If the hacker’s /tmp/.user is not overwritten, the hacker bypasses the checks and fools the script into changing root’s password. To make this type of attack easier, a hacker could w rite a program that will automatically watch for activity and replace the /tmp/.user file.

Lesson Four – Don’t use temporary files! If you must use temporary files, don’t put them in a publicly writable area.

% cat change-pass #!/bin/ksh PATH=’/bin:/usr/bin’ user=$1 [ -z$user ] && echo “Usage: change-pass username” && exit [ “$user" = root ] && echo "You can't change root's password!" && exit /usr/bin/passwd$user

There are no temporary files, but now a hacker can use the well-known semi-colon trick. A semi-colon lets you put more than one command on a single line. By taking advantage of this, a hacker could type:

---

快捷键

• 加粗 Ctrl + B
• 斜体 Ctrl + I
• 引用 Ctrl + Q
• 插入链接 Ctrl + L
• 插入代码 Ctrl + K
• 插入图片 Ctrl + G
• 提升标题 Ctrl + H
• 有序列表 Ctrl + O
• 无序列表 Ctrl + U
• 横线 Ctrl + R
• 撤销 Ctrl + Z
• 重做 Ctrl + Y

Markdown及扩展

Markdown 是一种轻量级标记语言，它允许人们使用易读易写的纯文本格式编写文档，然后转换成格式丰富的HTML页面。 —— [ 维基百科 ]

使用简单的符号标识不同的标题，将某些文字标记为粗体或者斜体，创建一个链接等，详细语法参考帮助？。

本编辑器支持 Markdown Extra , 　扩展了很多好用的功能。具体请参考Github.

表格

Markdown　Extra　表格语法：

项目	价格
Computer	$1600
Phone	$12
Pipe	$1

可以使用冒号来定义对齐方式：

项目	价格	数量
Computer	1600 元	5
Phone	12 元	12
Pipe	1 元	234

定义列表

Markdown　Extra　定义列表语法： 项目１ 项目２

定义 A

定义 B

项目３

定义 C

定义 D

定义D内容

代码块

代码块语法遵循标准markdown代码，例如：

@requires_authorization
def somefunc(param1='', param2=0):
    '''A docstring'''
    if param1 > param2: # interesting
        print 'Greater'
    return (param2 - param1 + 1) or None
class SomeClass:
    pass
>>> message = '''interpreter
... prompt'''

脚注

生成一个脚注1.

目录

用 [TOC]来生成目录：

数学公式

使用MathJax渲染LaTex 数学公式，详见math.stackexchange.com.

• 行内公式，数学公式为：$\Gamma(n) = (n-1)!\quad\forall n\in\mathbb N$。
• 块级公式：

$$x = \dfrac{-b \pm \sqrt{b^2 - 4ac}}{2a}$$

更多LaTex语法请参考 这儿.

UML 图:

可以渲染序列图：

或者流程图：

• 关于 序列图 语法，参考 这儿,
• 关于 流程图 语法，参考 这儿.

离线写博客

即使用户在没有网络的情况下，也可以通过本编辑器离线写博客（直接在曾经使用过的浏览器中输入write.blog.csdn.net/mdeditor即可。Markdown编辑器使用浏览器离线存储将内容保存在本地。

用户写博客的过程中，内容实时保存在浏览器缓存中，在用户关闭浏览器或者其它异常情况下，内容不会丢失。用户再次打开浏览器时，会显示上次用户正在编辑的没有发表的内容。

博客发表后，本地缓存将被删除。　

用户可以选择 把正在写的博客保存到服务器草稿箱，即使换浏览器或者清除缓存，内容也不会丢失。

注意：虽然浏览器存储大部分时候都比较可靠，但为了您的数据安全，在联网后，请务必及时发表或者保存到服务器草稿箱。

浏览器兼容

1. 目前，本编辑器对Chrome浏览器支持最为完整。建议大家使用较新版本的Chrome。
2. IE９以下不支持
3. IE９，１０，１１存在以下问题
   
   1. 不支持离线功能
   2. IE9不支持文件导入导出
   3. IE10不支持拖拽文件导入

---

---

1. 这里是 脚注 的 内容. ↩