It's not a Feature, It's a Vulnerability! 180
pmeunier writes "Apple's security stance is stunning. In the latest (10.3.9) update, Apple removed two capabilities because they pose security risks. One of them is the capability to run setuid and setguid scripts (the other was actually unused). Can other commercial OS vendors (how many are there :) adopt a similar stance? Will you be inconvenienced by the inability to run setuid scripts on MacOS X? Which other features/capabilities (in any OS) would you like to have removed?"
Stunning? (Score:3, Insightful)
Re:Stunning? (Score:5, Informative)
Especially since IBM's AIX hasn't allowed SUID scripts since version 3.5.something...
The problem with suid scripts (Score:5, Informative)
The problem with suid scripts is the mechanism for implementing scripts. Essentially, a script is an executable beginning with (arg is often left blank). When you run it, is translated by the kernel to which is then executed. If the script is setuid, then logically the interpreter should be setuid.
Suppose then that you have a bash script
Linux fixes this (if you turn on setuid scripts) with the
re: arg is often left blank? (Score:2)
Never.
If it was such a problem, why not make the shell disallow execution of scripts without an explicit invocation line?
Re:The problem with suid scripts (Score:2)
Re:The problem with suid scripts (Score:2)
I tried making a bash script called -i in /tmp and it executed as expected on OS X 10.3.9. The same when I symlinked -i to another script.
Here's my script:
Here's my execution:
Re:The problem with suid scripts (Score:2, Informative)
OK. If you want to be anal,
execv(scriptname, {scriptname, arg1, arg2, arg3, NULL}) is translated by the kernel to
execv(interpreter, {interpreter, arg, scriptname, arg1, arg2, arg3, NULL}).
Happy?
Re:Stunning? (Score:5, Funny)
Imagine if Microsoft just removed IE because of all the security problems....wait. Let me re-think my position on this.
Re:Stunning? (Score:3, Informative)
Re:Stunning? (Score:5, Funny)
Re:Stunning? (Score:2)
Setuid scripts are a different ball of barbarian invaders.
Re:Stunning? (Score:2)
Re:Stunning? (Score:2, Informative)
The correct "fix" is removal. Is there any way to make that more clear?
Re:Stunning? (Score:2)
Agreed. I was working on Solaris about five years ago and it didn't allow setuid root scripts.
Re:Stunningly *stupid* (Score:3, Insightful)
2. Even when it's used for what it's there for, it's being misused.
3. No competent sysadmin counts on it being there. Ever.
4. Most "real" flavors of *nix threw it away a long time ago.
If Apple is open to criticism, it's for not chucking it sooner.
Re:Stunningly *stupid* (Score:4, Interesting)
Bzzt. If you depend on such things, you should have your badge revoked. Setuid on scripts is a horrible hack, because the execution mechanism of shell scripts allows users to tinker with the internals of the suid resource.
This should never, ever, ever be allowed.
Re:Stunningly *stupid* (Score:4, Funny)
Weight the trade off (Score:4, Insightful)
The OS is already built with abilities to SUDO applications so perhaps Apple will figure out a more secure way of implementing the SetUserID feature so as not to create a vulerability. If they have to have it, then it probably needs to a an Admin level tool anyway.
Re:Weight the trade off (Score:5, Informative)
Second, perl (a scripting language) has really led the way here - perl has not allowed for running of setuid and setgid in scripts for a long time.
Third, if you really need setuid and setgid to run your script, you can create a C wrapper for it. Yes, it's a pain, but it really emphasizes that you really know what you're doing. I remember seeing stuff like (fake URL) http://www.idioticmoron.org?command="runme.sh", which a smart hacker would see and convert to http://www.idioticmoron.org?command="runme.sh;env
What is setuid and setgid? It runs the program as the owner (or group) of the program instead of the executor (the group ID is so the owner can run it with one set of permissions and the group a different set). In this way, you can have something like a counter that can be run by anyone but writes to a file that only that user can write to. To create such a file, you'd do something like chmod 4711 test.sh (setuid) or chmod 2711 test.sh (setgid). Since test.sh is a script (a shell script to be particular), this shouldn't be allowed now. A C program can call setuid and setgid internally, if it has permissions to (say, is running as root), so it can change the executor to the desired user or group and then run the script.
Re:Weight the trade off (Score:3, Informative)
not being able to run setuid or setgid as root means you can only hack the exploited user or group, not the entire OS.
Personally... (Score:2, Insightful)
Then again, I've never used this, I have no idea what I'm talking about, and I'm just exercising my Slashdot right to be opinionated!
no suid (Score:3, Insightful)
Re:no suid (Score:5, Informative)
The parent also didn't read the linked article:
emphasis mine. I'm going to guess shell scripts weren't the only kind of text file you could SUID/SGID ...
Please remove these ... (Score:4, Interesting)
Thank god for applications like Netapp, which keep a readily availble copy of most directories in '$PWD/.snapshot . This has saved my ass a dozen times...
Re:Please remove these ... (Score:2)
Re:Please remove these ... (Score:3, Informative)
http://www.netapp.com/products/software/snapshot. h tml [netapp.com]
Basically, the Netapp takes a snapshot of your directories on a regular schedule (hourly, nightly, weekly, whereever). If you want to recover an old version of the file, it's as simple as a 'cp
Also, when you rm a file, the Netapp can put the removed file in a $PWD/.gone directory in case you removed it by accident, and removes the file later (1
Derrrrrr.... (Score:4, Interesting)
Re:Derrrrrr.... (Score:3, Informative)
Re:Derrrrrr.... (Score:5, Informative)
if the setuid bit on a file is set, then any execution of that file is done with the privileges the file's owner (or group in the case of setguid).
for example:
$ chmod 4754 foo.sh
$ ls -l foo.sh
-rwsr-xr-- 1 root foousers 17 Apr 18 15:11 foo.sh
Now anyone in wheel can run foo.sh with root privileges.
$ chmod 2755 foo.sh
$ ls -l foo.sh
-rwxr-sr-x 1 root foousers 0 Apr 18 15:11 foo.sh
Now anyone on the system can run foousers with the privileges of a foousers member.
Re:Derrrrrr.... (Score:4, Insightful)
It won't be very easy to find the programs without a 'find' command.
Note that the only difference between a regular file and an suid-bit file is a teeny one-bit change-- there's an 's' instead of an 'x' or '-'. It's hard to see, and many people don't know it is when they see it.
Is that the sort of 'needle in a haystack' obsfucation that introduces all sorts of security issues.
Re:Derrrrrr.... (Score:3, Informative)
Considering that it's OS X we are talking about, find is already there.
Will give you your list, not sure how many actually show up, I'll have to check when I get back in front of a Mac.
Re:Derrrrrr.... (Score:4, Informative)
Answers (Score:5, Informative)
It'd be nice.
Will you be inconvenienced by the inability to run setuid scripts on MacOS X?
Not at all. SUID scripts are a huge hole. See What security problems exist with SUID scripts and programs? [tech-faq.com] for an example. SUID scripts are usually created by lazy people who can't be bothered to figure out permissions.
Which other features/capabilities (in any OS) would you like to have removed?
I'd like to see the instant-flamewar generator removed.
Re:Answers (Score:4, Funny)
Re:Answers (Score:2)
SETUID != SETUID ROOT
Badly used setuid is a nightmare.
Properly used it's paradise.
Re:Answers (Score:2)
Also, IIRC (and FWIW), if you run Windows as a normal user, Windows won't allow you to run a program as Administrator, unless you supply credentials.
Re:Are you out of your mind? (Score:2)
Come on now, a Ruby script is much less likely to have buffer overflow vulnerabilities than some-random-bit-of-C and yet you say that the latter can safely be made suid and the former cannot?
I thought the real reason for disallowing suid scripts was not to protect people from themselves, but because of a race condition. The script interpreter is invoked with the _name_ of the program t
Re:Are you out of your mind? (Score:2)
including the function was a mistake. (Score:5, Informative)
Taking it out will undoubtedly inconvenience some folks, but it's sort of like being given a power tool without some critical piece of safety gear. Apple has, in essence, forced you to install that gear on your power tool, like it or not. If it inconveniences you, then you weren't using the tool safely to begin with.
From what I understand, it's usually better to use sudo for this anyway... you can set up sudo so that it will only allow you to execute a particular program or set of programs. The sudoers file is more than slightly cryptic, and it's a bit more typing (both "sudo" and possibly the user password), but this will give you much better safety.
If you just absolutely can't stand doing it that way, then write your script in perl or C and SUID that version. Note that it takes special care in both instances... SUID programs are dangerous, and if someone cracks a user account on your system, that's going to be one of the first things they'll look at to try to get root. Don't just toss something together, go look up how to do it safely. (short form: don't trust your environment, don't trust user input). Perl has some special functions just for this purpose, so be sure to read its documentation carefully.
Re:including the function was a mistake. (Score:3, Informative)
Well, you can at least mitigate some of the problems by starting your script with "-pe". The "p" flag disables use of the user's ENV setting and ~/.*rc files. And "-e" has it bail on error.
Most shells should give you -p behaviour on SUID or SGID anyway (no matter what account they S?ID to).
I always set both in my scripts; what's the use of seeing someone's alias table? And if they're one of those weird people who doesn't know the difference between .profile and .(ba|k|z|)shrc, well, I don't want the
speaking of suid vulnerabilities (Score:4, Interesting)
Severity of course depends on how your system is used.
Re:speaking of suid vulnerabilities (Score:2)
Fixed in Security Update 2005-004; or at least the description of the fix includes text concerning mRouter and iSync.
Apparently, posting the vuln on
Re:NOT A PROBLEM (Score:2)
This isn't Windows. Slowing down root escalation will at least keep the skr1pt k1ddies busy for a little while. Yes, you want to keep them out... but you don't write your PIN on the back of your teller card just because "if someone has physical access to your wallet you have worse problems than worrying about an unauthorised withdrawal".
Hardly (Score:2)
Re:Hardly (Score:2)
Linux doesn't allow it either (Score:3, Informative)
If you want to play, try making a script owned by root, which modifies something a normal user can't. Set it SUID (chmod u+s filename). Run it as a normal user. Shouldn't work (except on older OS/X).
Now, try setting vi or a copy of it SUID. (Again, make sure root owns it, and "chmod u+s filename".) Now run it as a normal user, and, say, edit your
Now that you're done, get rid of those suid files so nobody else uses them.
Solaris already blocks SetUID shell scripts... (Score:3, Informative)
seems like a "good thing" to me.
This is a smart move by Apple (Score:5, Funny)
Alternative Data Streams (Score:2)
Re:Alternative Data Streams (Score:2)
Re:Alternative Data Streams (Score:2)
I think the NTFS guru that came up with this intended them to be used in ways that we in the UNIX world use directories. See OS X's
The article asked for features that should be removed. I can't imagine any legitimate reason to keep this half-baked idea around.
Re:Alternative Data Streams (Score:2)
Re:Alternative Data Streams (Score:2)
No, they intended them to be used for storing metadata about the file so it could be indexed for searching purposes (like BeOS/BFS did).
This is why WinFS is such a silly idea. Instead of using the inherent, built-in features of the OS's native filesystem that hav been around for nigh-on 15 years now, Microsoft are instead adding
Re:Alternative Data Streams (Score:2)
Re:Alternative Data Streams (Score:2)
Or like the Macintosh resource fork.
Or like the elements in OS/1100 files, though they ended up being used the way files are in other operating systems, with the files themselves treated like directories.
The thing is, unless you can get all operating systems and applications to handle, preserve, and interconvert these objects, they're more trouble than they're worth. Yo
System calls (Score:2)
How about fixing the system call mechanism so that you can't use a non-null byte to make system calls from shell code? The problem (PDF) [phathookups.com] has been known for a couple of years now. While it won't eliminate buffer overflow shellcode, it will make it a lot harder to write shellcode for OS X.
Re:System calls (Score:2)
"fixing the system call mechanism"? (Score:2)
There is always more than one way to get basically any value you might want loaded into the proper registers. Once the registers are loaded, there's a single instruction that's used to initiate a system call, the "sc" instruction.
The opcode for "sc" ALREADY includes two embedde
I heard that G5s (Score:2)
If so,it'd be nice. Those bits are reserved, but that doesn't mean that they should be unchecked.
Why this is a non-issue... (Score:5, Informative)
It didn't take long before it was obvious that setuid scripts were a REALLY bad idea, and they've been backed out of one UNIX version after another. this isn't a matter of redefining a feature as a bug, it's a matter of asking "what took you so long?"...
Whoever approved this story should be ashamed of themselves. There's more than enough REAL news that matters...
One Word. (Score:2)
Macros.
Rammed down our throats? (Score:2, Insightful)
Something to think about is that anyone with root (on a Unix-esque system) can make a system insecure. This doesn't just apply to Unix, however. Anyone with super-user access to a system can demolish the security of any operating system, however. There are just too many things that can be done to leave nearly any system wide open.
There are also more than a few reasons to intentionally make a system insecure. Perhaps the system is part of a trusted network, with limited physical access. In that case,
Re:Rammed down our throats? (Score:5, Informative)
Disallowing SUID/SGID scripts is industry standard in UNIX-land. Not that "everyone else does it" is a good justification on its own. But, in this case "everyone else had a reason".
You can easily run a script as any ID you desire via sudo, provided with the system. As Apple states, none of their software uses SUID/SGID scripts. And I very much doubt any 3rd-party software does also. It is just such a universally unavailable feature, no UNIX programmer would think to even try it these days.
Re:Rammed down our throats? (Score:2)
Unfortunately this example from a vendor with 3.4 billion dollars US [slashdot.org] to spare shows this is not quite true:
Is IE really a feature? (Score:4, Funny)
Internet Explorer.
Re:Is IE really a feature? (Score:2)
doesn't everyone remember icab?
Answers : yes, no, where to start? (Score:4, Insightful)
they do, clearly. There are just too many examples of features dropped between releases of operating systems to pick only one.
Will you be inconvenienced by the inability to run setuid scripts on MacOS X?
no. It was a mistake that the feature was ever included. You should SUID/SGID binaries, not text files or anything else. Scripts are not binaries.
Which other features/capabilities (in any OS) would you like to have removed?
Can I vote for eliminating the ability of any OS to create annoying, non-standards-supporting web pages that use too much Flash and/or Javascript ? Can I prevent any OS from sending out spam email ? Can I remove the ability of a compiled application to crash the machine? No? Too bad. In any given system, there are a lot of features that aren't really needed and can be either a source of confusion or a source of problems. Most of these shouldn't be in the OS layer, and ( like the SUID issue ) should be tightened up if they are in that layer.
Fundamentally, though, the SUID/SGID thing referenced in the story is a non-issue. If I have console access, typing "sudo" and a password isn't even an inconvenience. It's already been pointed out that this feature has already been removed from almost every other major Un*x variant, including Linux.
Apple did not remove SUID/SGID on scripts (Score:5, Insightful)
Re:Apple did not remove SUID/SGID on scripts (Score:2)
I dumped defaults and sysctl, and there wasn't anything. So now I'll plow through all my plists looking for the "I'm a retard" switch so I can turn it off.
Thanks, Apple.
sysctl -w kern.sugid_scripts=1 (Score:2)
You asked for it.... (Score:3, Funny)
Windows, all flavors, TCP/IP.
been done (Score:2)
Stunning? (Score:2)
Interesting. I don't recall praising MS for stunning security stance when they decided to deliberately break some functionality for the sake of security with the release WinXP SP2. Funny thing, it was spun a bit differently, IIRC...
Can other commercial OS vendors (how many are there
Indeed they should. So we can bash or praise them for it, depending on wether they are MS or not.
Re:Stunning? (Score:2)
Insomnia Kernel Extension Script (Score:2)
I guess you could say that I'm effected by this, but I'll get over it. Sudo should be able to adapt, or else I'll just run the script from the command line.
Re:Insomnia Kernel Extension Script (Score:2)
kalak ALL = PASSWD:ALL, NOPASSWD:
No password required to load/unload extentions. Not what I call the best policy, but is it better or worse then general SUID is the question? Any thoughts on the lesser of two security holes?
Re:Insomnia Kernel Extension Script (Score:2)
Re:Insomnia Kernel Extension Script (Score:2)
Re:Insomnia Kernel Extension Script (Score:2)
Hmmm...
Sounds like Insomnia needs a user interface to go along with the kernel extension. How about this one [alxsoft.com]?
What do these do? (Score:2)
Re:Companies warning to NOT install the upgrade (Score:2, Interesting)
Re:Companies warning to NOT install the upgrade (Score:3, Informative)
No, it's a bug, according to Dave Hyatt [mozillazine.org], author of Safari.
Re:Companies warning to NOT install the upgrade (Score:3, Informative)
Now, here's what ticked me off. They changed the "View Source" command from "COM-OPT-V" to "COM-OPT-U" for no apparent reason. That one had me really stumped for about 3 seconds this morning. Damn you Apple!!!!!
Re:Companies warning to NOT install the upgrade (Score:2)
Re:Companies warning to NOT install the upgrade (Score:2)
I don't... so I don't.
Installing software is gonna happen.
As far as I'm concerned, the only use of shipping a browser with an OS is to make it easy to get to Mozilla. But, in all truthfullness... I could do it without a browser.
[checks...]
Just for grins, I just went and downloaded 1.7.7 via the command line using ftp. So... fsck that. They can spend the browser money on something else.
The OS should not have a built in
Re:Companies warning to NOT install the upgrade (Score:2)
Futhermore, and most importantly, I would applaud not having the browser be part of the OS. And not an unnecessary security vector for the entire OS.
As things should be.
Can't tell the difference between a browser developed by a company... and one included by a company?
Try middle school. And stay awake this time...
Re:Companies warning to NOT install the upgrade (Score:2)
Re:Ping (Score:4, Informative)
How would something like ping be handled ( I don't use OS X )?
Only applies to scripts, not to compiled executeables. So it wouldn't matter at all.
Re:Ping (Score:5, Informative)
Re:Ping (Score:2)
enter password:
Re:Ping (Score:2)
Re:Ping (Score:2)
PING IS NOT A SCRIPT
Re:Stupid crap (Score:2)
SUID can cause major problems and is a rather large vector for attack
ofcourse i may have missundersrtood you , do you mean developers who shove suid down our throats ?
from an admins point of view , i no more want suid on any system i manage than i want ordinary users having root access
Re:Stupid crap (Score:3, Informative)
Re:Stupid crap (Score:2)
Re:Stupid crap (Score:3, Interesting)
No it bloody won't. (Score:4, Informative)
Generally out of cron, which runs them as user oracle in a vanilla controlled environment, not whatever random or malicious environment some user running the scripts externally might set up.
. Instead, we'll get something worse: people writing binaries that SUID and execute any random shell script
Like sudo? For interactive work Mac OS X already has a mechanism to do this more safely, and for batch... well... if they're not already doing it for Linux systems that don't support setuid scripts, and didn't do it for UNIX before the brief life of setuid scripts, why would they start now?
Mod Down this loser/idiot (Score:2)
If you had any idea what the hell you are talking about or had even read ANY of this thread, you would know that virtually no one on "other unices" even uses this feature.
Re:Not such a great inconvenience (Score:2)
Scripts, fine. Try implementing su or sudo without it, and we'll see how much it's needed.
Re:There are still OSes that do that? (Score:3, Informative)
You might have been using a system that used the "suppress suid/guid" mount option.