Passing script by fd on Linux and setuid scripts

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Passing script by fd on Linux and setuid scripts

From:	Petr Skočík
Subject:	Passing script by fd on Linux and setuid scripts
Date:	Sun, 31 Jul 2016 22:10:39 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

Hi.

The bash reference mentions that /dev/fd/* files are treated specially,
as filedescriptors, when used in conditionals.

However, they're not if they're passed as script arguments to the bash
binary (e.g., `bash /dev/fd/3`).

If they were, it would be possible to have a small setuid-root
indirection binary start bash scripts via filedescriptors, thereby
eliminating the race condition setuid-script vulnerability mentioned in
Gilles's answer at
http://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts#2910.

(Whether the rest of the execution would be secure with setuid is
another question)

Running readlink on the actual /dev/fd/$something could then be used to
set $0.

I think it would make sense. What do you think?

Attached is a tentative patch that implements the above described
functionality.

Best regards,
Petr Skocik

passing-scripts-via-fds.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

a=$* -> crash, Andreas Schwab, 2016/07/27
- Re: a=$* -> crash, Chet Ramey, 2016/07/27
  - Passing script by fd on Linux and setuid scripts, Petr Skočík <=

Prev by Date: Re: bug in [ -f file ] test
Next by Date: Odd bugs when no job control support
Previous by thread: Re: a=$* -> crash
Next by thread: echo builtin command will give the wrong value of the variable when there is a file named: 11 in the current directory
Index(es):
- Date
- Thread