Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Internet FAQ Archives

Unix - Frequently Asked Questions (4/7) [Frequent posting]
Section - How can I get setuid shell scripts to work?

( Part1 - Part2 - Part3 - Part4 - Part5 - Part6 - Part7 - Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Counties ]

Top Document: Unix - Frequently Asked Questions (4/7) [Frequent posting]
Previous Document: How do I sleep() in a C program for less than one second?
Next Document: How can I find out which user or process has a file open ... ?
See reader questions & answers on this topic! - Help others by sharing your knowledge

4.7)  How can I get setuid shell scripts to work?

      [ This is a long answer, but it's a complicated and frequently-asked
        question.  Thanks to Maarten Litmaath for this answer, and
        for the "indir" program mentioned below. ]

      Let us first assume you are on a UNIX variant (e.g. 4.3BSD or
      SunOS) that knows about so-called `executable shell scripts'.
      Such a script must start with a line like:


      The script is called `executable' because just like a real (binary)
      executable it starts with a so-called `magic number' indicating
      the type of the executable.  In our case this number is `#!' and
      the OS takes the rest of the first line as the interpreter for
      the script, possibly followed by 1 initial option like:

        #!/bin/sed -f

      Suppose this script is called `foo' and is found in /bin,
      then if you type:

        foo arg1 arg2 arg3

      the OS will rearrange things as though you had typed:

        /bin/sed -f /bin/foo arg1 arg2 arg3

      There is one difference though: if the setuid permission bit for
      `foo' is set, it will be honored in the first form of the
      command; if you really type the second form, the OS will honor
      the permission bits of /bin/sed, which is not setuid, of course.


      OK, but what if my shell script does NOT start with such a `#!'
      line or my OS does not know about it?

      Well, if the shell (or anybody else) tries to execute it, the OS
      will return an error indication, as the file does not start with
      a valid magic number.  Upon receiving this indication the shell
      ASSUMES the file to be a shell script and gives it another try:

        /bin/sh shell_script arguments

      But we have already seen that a setuid bit on `shell_script' will
      NOT be honored in this case!


      Right, but what about the security risks of setuid shell scripts?

      Well, suppose the script is called `/etc/setuid_script', starting

      Now let us see what happens if we issue the following commands:

        $ cd /tmp
        $ ln /etc/setuid_script -i
        $ PATH=.
        $ -i

      We know the last command will be rearranged to:

        /bin/sh -i

      But this command will give us an interactive shell, setuid to the
      owner of the script!
      Fortunately this security hole can easily be closed by making the
      first line:

        #!/bin/sh -

      The `-' signals the end of the option list: the next argument `-i'
      will be taken as the name of the file to read commands from, just
      like it should!


      There are more serious problems though:

        $ cd /tmp
        $ ln /etc/setuid_script temp
        $ nice -20 temp &
        $ mv my_script temp

      The third command will be rearranged to:

        nice -20 /bin/sh - temp

      As this command runs so slowly, the fourth command might be able
      to replace the original `temp' with `my_script' BEFORE `temp' is
      opened by the shell!  There are 4 ways to fix this security hole:

        1)  let the OS start setuid scripts in a different, secure way
            - System V R4 and 4.4BSD use the /dev/fd driver to pass the
            interpreter a file descriptor for the script

        2)  let the script be interpreted indirectly, through a frontend
            that makes sure everything is all right before starting the
            real interpreter - if you use the `indir' program from
            comp.sources.unix the setuid script will look like this:

                #!/bin/indir -u
                #?/bin/sh /etc/setuid_script

        3)  make a `binary wrapper': a real executable that is setuid and
            whose only task is to execute the interpreter with the name of
            the script as an argument

        4)  make a general `setuid script server' that tries to locate the
            requested `service' in a database of valid scripts and upon
            success will start the right interpreter with the right


      Now that we have made sure the right file gets interpreted, are
      there any risks left?

      Certainly!  For shell scripts you must not forget to set the PATH
      variable to a safe path explicitly.  Can you figure out why?
      Also there is the IFS variable that might cause trouble if not
      set properly.  Other environment variables might turn out to
      compromise security as well, e.g. SHELL...  Furthermore you must
      make sure the commands in the script do not allow interactive
      shell escapes!  Then there is the umask which may have been set
      to something strange...

      Etcetera.  You should realise that a setuid script `inherits' all
      the bugs and security risks of the commands that it calls!

      All in all we get the impression setuid shell scripts are quite a
      risky business!  You may be better off writing a C program instead!

User Contributions:

Sep 27, 2021 @ 1:13 pm
Hello ... Im looking a lover..
I love oral sex! Write me -
Oct 3, 2021 @ 2:14 pm
Try Your luck and win a FREE $500 or $1000 coupon! -
Oct 6, 2021 @ 3:15 pm
Hi baby!! my name is Virginia...
I love oral sex! Write me -
Oct 7, 2021 @ 12:00 am
Try Your luck and win a Free Coca-Cola Pack! -
Oct 12, 2021 @ 3:15 pm
WiFiBooster Pro provides you max speed with 300Mbps, no delay for playing game, online transfer files and video chat! Works with Any Router and Device (Smartphone, Computer, Smart tv, etc). Get 50% Off Today! Order Here -
Oct 18, 2021 @ 3:03 am
Fill out the form and win a Free $500 or $1000 voucher! -
Oct 18, 2021 @ 4:16 pm
hey dear!!! my name is Sophia...
I want sex! Here are my photos -
Oct 27, 2021 @ 4:16 pm
Hi !! my name Emily...
Do you want to see a beautiful female body? Here are my erotic photos -
Nov 6, 2021 @ 2:14 pm
heey .. my name Rebecca!!!
I love oral sex! Write me -
Dec 3, 2021 @ 7:19 pm
Hi !! my name Maria.
I love sex. Here are my erotic photos -
Dec 20, 2021 @ 5:05 am
Hi .. Im looking a man!!!
If you want to meet me, I'm here -
Jan 13, 2022 @ 4:16 pm
heey baby!!! my name Margaret..
I want sex! Write me -
Feb 5, 2022 @ 12:12 pm
Hi...?! I'm my name is Name.FirstName and I have
Good opportunity for Target.Name, just follow this link to learn Remote Zoom Hypnosys ::) (Many eyes for better hypnosys)
Rodawg Thepuss
Feb 5, 2022 @ 12:12 pm
Hi, my name is Rodawg Thepuss,Third of the name.
I am here to present you a new and exciting opportunity to take advantage of others with Hypnosis through TeamsMEET.Hypnosis Hypnosis Hypnosis Hypnosis Hypnosis Hypnosis Hypnosis .

This is a record access board which can hold 30 seconds information about all the Hypnosis teams in Singapore. These teams have made numerous activities in the whole of Singapore, which has led to many mass hypnosiemicy readings.

This is the fastest way you can fast way of getting your classmates' goal on term project , S P MOAR!

so join Hypnosis Team in to become team's master key. On my life I swear by the many success stories i have shared above.

To be free of all problems, if you will join my Virtual Talk seminar. No one could ever stop you from achieving success. Hypnosis can transform you into the waifu of your dreams by following the link:
Apr 12, 2022 @ 11:11 am
Hello Folks,

For old Linux distributions I could suggest this web site -
Oct 16, 2022 @ 10:10 am
side effects of stopping buspar inhese
Apr 3, 2023 @ 9:09 am
Regards, An abundance of posts!
funny college essay newsletter writing service
Apr 4, 2023 @ 2:02 am
You actually explained that well.
master thesis writer custom thesis writing service
Nathan Higgurs
Apr 20, 2023 @ 2:14 pm
There sure are a lot of spam comments on this page.
Sep 29, 2023 @ 3:03 am
hallo dear... Im looking a man.
I want sex! Write me -
Oct 1, 2023 @ 4:04 am
Thanks for the command name lore.
The bot comments are hilarious as well ;)
Tomak Zain Zarif
Nov 14, 2023 @ 1:01 am
I'm looking to get assistance for houseing please help me community others nowhere else to turn and I've exosted all leads. I'm diabetic,with narapathy in my feet and hands.I'm a strong black man 46 years of age just had birthday Nov.3/which makes me a humbled Scorpio until you piss me off#1im a born and raises decent of Los Angle Cali. If you want to call or email me hit me up #1 @ I defianately need a woman in my life. Hit me soon#1

Comment about this article, ask questions, or add new information about this topic:

Top Document: Unix - Frequently Asked Questions (4/7) [Frequent posting]
Previous Document: How do I sleep() in a C program for less than one second?
Next Document: How can I find out which user or process has a file open ... ?

Part1 - Part2 - Part3 - Part4 - Part5 - Part6 - Part7 - Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer: (Ted Timar)

Last Update March 27 2014 @ 02:12 PM