Are setuid shell scripts safe? (Implied by security_bprm_creds_for_exec)
David Laight
david.laight.linux at gmail.com
Mon Dec 1 21:39:38 UTC 2025
On Mon, 01 Dec 2025 12:53:10 -0600
"Eric W. Biederman" <ebiederm at xmission.com> wrote:
> Roberto Sassu <roberto.sassu at huaweicloud.com> writes:
...
> There is the partial solution of passing /dev/fd instead of passing the
> name of the script. I suspect that would break things. I don't
> remember why that was never adopted.
I thought that was what was done - and stopped the problem of a user
flipping a symlink between a suid script and one the user had written.
It has only ever been done for suid scripts when the uid actually changes.
Which makes it possible to set the permissions so that owner can't
run the script!
(The kernel only needs 'x' access, the shell needs 'r' access, so with 'x+s'
the owner can't execute the script but everyone else can.)
There is a much older problem that probably only affected the original 1970s
'sh' (not even the SVSV/Sunos version) that quoted redirects on the command
line would get actioned when the parameter was substituted - which I think
means the original 'sh' did post-substitution syntax analysis (the same
as cmd.exe still does).
That doesn't affect any shells used since the early 1980s.
David
More information about the Linux-security-module-archive
mailing list