SPUG: This /bin/ps is not secure for setuid operation
Jeremy A. Mates
jmates at mbt.washington.edu
Thu Jul 20 14:06:47 CDT 2000
On Thu, 20 Jul 2000, Kim Goldov wrote:
> I could fork off a child and run the /bin/ps under the real uid, however I
> don't see why I should have to do this. I'm not even trying to use any
> tainted data. Why should /bin/ps be a problem and not /bin/ls?
I would check the permissions on /bin/ps, /bin, and /, and maybe how
perl was compiled on the machine in question.
Your script, modified to:
#!/usr/local/bin/perl -T
$ENV{PATH} = "/sbin:/usr/sbin:/bin:/usr/bin:/usr/X12R6/bin" ;
$ENV{BASH_ENV} = "" ;
$ENV{ENV} = "" ;
open (PS, "/bin/ps -ef|") || die "ouch" ;
my @ps = <PS> ;
print $ps[0], "\n";
Ran fine in mode 4755 for both root/ordinary user on Digital Unix/perl
5.005 and Solaris/perl 5.6 for me.
For easy tainting, I usually include something similar to the following
in my scripts to ensure the cleansing gets done early:
sub BEGIN {
delete @ENV{
qw:IFS CDPATH ENV BASH_ENV:
};
$ENV{'PATH'} = '/bin:/usr/bin';
}
--
Jeremy Mates (206) 221-4714 Fax: 685-7301
Systems Administrator K353-B, Health Sciences Center
http://www.mbt.washington.edu/ Box 357730
University of Washington Seattle, WA, 98195
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
POST TO: spug-list at pm.org PROBLEMS: owner-spug-list at pm.org
Subscriptions; Email to majordomo at pm.org: ACTION LIST EMAIL
Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
For full traffic, use spug-list for LIST ; otherwise use spug-list-digest
Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
More information about the spug-list
mailing list